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Abstract 



A major motivation for formal systems such as programming languages and logics is that 
they support the ability to perform computations in a safe, secure, and understandable 
way. A considerable amount of effort has consequently been devoted to developing tools 
and techniques for structuring and analyzing such systems. It is natural to imagine that 
research in this setting might draw benefits from its own labor. In particular, one might 
expect the study of formal systems to be conducted with the help of languages and logics 
designed for such study. There are, however, significant problems that must be solved before 
such a possibility can be made a practical reality. One such problem arises from the fact that 
formal systems often have to treat objects such as formulas, proofs, programs, and types 
that have an inherent binding structure. In this context, it is necessary to provide a flexible 
and logically precise treatment of related notions such as the equality of objects under the 
renaming of bound variables and substitution that respects the scopes of binders; there is 
considerable evidence that if such issues are not dealt with in an intrinsic and systematic 
way, then they can overwhelm any relevant reasoning tasks. For a logic to be useful in 
this setting, it must also support rich capabilities such as those for inductive reasoning over 
computations that are described by recursion over syntax. 

This thesis concerns the development of a framework that facilitates the design and 
analysis of formal systems. Specifically, this framework is intended to provide 1) a specifi- 
cation language which supports the concise and direct description of a system based on its 
informal presentation, 2) a mechanism for animating the specification language so that de- 
scriptions written in it can quickly and effectively be turned into prototypes of the systems 
they are about, and 3) a logic for proving properties of descriptions provided in the speci- 
fication language and thereby of the systems they encode. A defining characteristic of the 
proposed framework is that it is based on two separate but closely intertwined logics. One 
of these is a specification logic that facilitates the description of computational structure 
while the other is a logic that exploits the special characteristics of the specification logic 
to support reasoning about the computational behavior of systems that are described using 
it. Both logics embody a natural treatment of binding structure by using the A-calculus as 
a means for representing objects and by incorporating special mechanisms for working with 
such structure. By using this technique, they lift the treatment of binding from the object 
language into the domain of the relevant meta logic, thereby allowing the specification or 
analysis components to focus on the more essential logical aspects of the systems that are 
encoded. 

One focus of this thesis is on developing a rich and expressive reasoning logic that is of 
use within the described framework. This work exploits a previously developed capability 
of definitions for embedding recursive specifications into the reasoning logic; this notion 
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of definitions is complemented by a deviee for a ease-analysis style reasoning over the 
descriptions they encode. Use is also made of a special kind of judgment called a generic 
judgment for reflecting object language binding into the meta logic and thereby for reasoning 
about such structure. Existing methods have, however, had a shortcoming in how they 
combine these two devices. Generic judgments lead to the introduction of syntactic objects 
called nominal constants into formulas and terms. The manner in which such objects are 
introduced often ensures that they satisfy certain properties which are necessary to take 
note of in the reasoning process. Unfortunately, this has heretofore not been possible to 
do. To overcome this problem, we introduce a special binary relation between terms called 
nominal abstraction and show this can be combined with definitions to encode the desired 
properties. The treatment of definitions is further enriched by endowing them with the 
capability of being interpreted inductively or co-inductively. The resulting logic is shown 
to be consistent and examples are presented to demonstrate its richness and usefulness in 
reasoning tasks. 

This thesis is also concerned with the practical application of the logical machinery it 
develops. Specifically, it describes an interactive, tactic-style theorem prover called Abella 
that realizes the reasoning logic. Abella embodies the use of lemmas in proofs and also 
provides intuitively well-motivated tactics for inductive and co-inductive reasoning. The 
idea of reasoning using two- levels of logic is exploited in this context. This form of reason- 
ing, pioneered by McDowell and Miller, embeds the specification logic explicitly into the 
reasoning logic and then reasons about particular specifications through this embedding. 
The usefulness of this approach is demonstrated by showing that general properties can 
be proved about the specification logic and then used as lemmas to simplify the overall 
reasoning process. We use these ideas together with Abella to develop several interesting 
and challenging proofs. The examples considered include ones in the recently proposed 
POPLmark challenge and a formalization of Girard's proof of strong normalization for the 
simply-typed A-calculus. We also explore the notion of adequacy that relates theorems 
proved using Abella to the properties of the object systems that are ultimately of primary 
interest. 
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Chapter 1 



Introduction 

In this thesis we are interested in developing a framework for mechanizing the specification 
and prototyping of formal systems and also the process of reasoning about the properties 
of such systems based on their specifications. The formal systems that are of interest to us 
are ones that concern computation: for instance, they might characterize evaluation and 
typing in a programming language, provability in a logic, or behavior in a concurrency 
system. Formal systems of these kinds typically manipulate syntactically complex objects 
such as formulas, proofs, and programs. Mechanized specification and reasoning about such 
systems has proven difficult to achieve through the use of traditional tools and techniques 
jABF+n5j . We propose a framework here which overcomes these difficulties and, through 
this process, brings the benefits of automation and computer-aided verification to bear on 
the development of these types of systems. In particular, this thesis proposes a framework 
that facilitates the development of such systems by providing 1) a specification language 
which supports the concise and direct description of a system based on its informal presen- 
tation, 2) a mechanism for animating the specification language so that descriptions written 
in it can quickly and effectively be turned into prototypes of the systems they are about, 
and 3) a logic for proving properties of descriptions provided in the specification language 
and thereby of the systems they encode. 

1.1 A Framework for Specification, Prototyping, and Reasoning 

The formal systems that we would like to specify and reason about are all characterized 
by the fact that they are based on syntactic expressions and their behavior is determined 
by the structure of these expressions. For brevity we will refer to such systems simply as 
computational systems. A popular approach to describing such systems starts by describing 
various possible judgments over the syntax of the systems. Then rule schemas are pre- 
sented where each schema allows a judgment to be formed from other judgments, often in 
a compositional manner. Finally, instances of these rules schemas are chained together into 
a derivation where each premise judgment of a rule instance is the consequence judgment 
of another rule instance. A judgment is said to hold if and only if it is the final conclusion 
judgment of derivation. Thus one can understand the behavior of a system by studying 
the rule schemas for forming judgments about the system. This approach to describing a 
computational system is known as structural operational semantics |Plo81] . 

Structural operational semantics descriptions have a logical fiavor in that one simply 
describes a few declarative rules for manipulating syntax and these are orchestrated together 



1 



1.1. A SPECIFICATION, PROTOTYPING, AND REASONING FRAMEWORK 



2 



to reach larger conclusions about the behavior of the system. The framework we propose 
allows for such descriptions to be formally specified via a specification logic similar to the 
logic of Horn clauses. We call such an encoding of a computational system into this logic 
a specification. More specifically, the system syntax is encoded as specification logic terms, 
judgments are encoded as specification logic atomic formulas, and rules are encoded as 
richer specification logic formulas. Derivations of atomic formulas within the specification 
logic then correspond to derivations in structural operational semantics descriptions. Thus 
we can study a wide variety of computational systems via a study of the specification logic. 

In order to interact with computational systems, our proposed framework supports 
prototyping based on the system specification. This prototyping is driven directly by the 
formal specification, by giving a computational interpretation of the specification logic in the 
same sense that Prolog provides a computational interpretation to the logic of Horn clauses. 
This eliminates the need for the framework user to manually develop a prototype based on 
the specification, thus avoiding a source of potential errors. Also, as the specification evolves 
this ensures that the prototype remains faithful to the current specification. 

The specification of a computational system consists of local rules about the system 
behavior, but one is often interested in global properties of the system. For example, pro- 
gramming language designers often describe the rules for evaluation and typing judgments 
for a language and then prove properties which relate the two judgments together such as 
that the evaluation judgment preserves the typing judgment. Such properties ensure that 
the language is well-behaved relative to programmers' expectations. In order to prove these 
properties about a structural operational semantics description one must be able to analyze 
the ways in which derivations may be formed. In the example of proving that evaluation 
preserves typing, one may inductively analyze the possible forms that a derivation of an 
evaluation judgment may have and for each possibility argue that the typing judgment for 
the evaluated term can be restructured into a typing judgment for the term which results 
from the evaluation. 

The proposed framework allows for reasoning over structural operational semantics de- 
scriptions via a meta-logic. The meta-logic contains mechanisms such as induction and 
co-induction which are essential to sophisticated reasoning. The meta-logic also contains a 
mechanism called definitions which allows one to connect atomic judgments to descriptions 
of behavior in a "closed world" fashion. Thus, it allows for both positive reasoning, i.e., 
showing that a judgment holds, and negative reasoning, i.e., analyzing why a judgment 
holds. This allows one to easily carry out the case analysis- like reasoning described in the 
example of typing and evaluation. 

We refer to this second logic as a meta-logic because, in our approach, we use it to encode 
the entire specification logic, rather than to encode each specification independently. We 
then reason about particular specifications by reasoning about their descriptions in the 
specification logic. This style of reasoning was pioneered by McDowell and Miller |MM02| 
and is called the two-level logic approach to reasoning. One of its benefits is that it allows us 
to reason over specifications exactly as they are written and used in prototyping. Another 
is that it allows properties of the specification logic to be formally proven once and for 
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all in the meta-logic and then used freely during reasoning. In practice, many tedious 
substitution lemmas proven about particular specifications are subsumed by these more 
general properties of the specification logic. 

A pervasive issue in the computational systems of interest is dealing with the binding 
structure of syntactic objects. For example, to develop a programming language we need 
to formalize the rules for binding local variables which requires a systematic way 1) to 
associate variable occurrences with their binders, 2) to treat objects which differ only in 
the name of bound variables as being identical, and 3) to realize a logically correct notion 
of capture-avoiding substitution which respects the binding structure of objects. Our pro- 
posed framework addresses all of these issue by mapping the binding structure of objects 
into the abstraction mechanism of the meta-language, i.e., the specification logic during 
specification and the meta-logic during reasoning. This is called a higher-order abstract 
syntax representation |MN871 IPE88] . In this way, the meta-language notion of binding 
describes how variables occurrences are associated to the binder, the meta-language no- 
tion of equality provides a way to identify objects differing only in the names of bound 
variables, and meta-language function application and reduction realize capture-avoiding 
substitution. 

1.2 An Illustration of the Application of the Framework 

Throughout this thesis we will use the example of the simply-typed A-calculus |Chu4H 
IBar84] . This is a compact example which highlights many of the essential difficulties in- 
volved in specifying, prototyping, and reasoning about a computational system with bind- 
ing. Anytime we use such a system as the focus of study we shall refer to it as the object 
language or the object logic. 

The syntax of the simply-typed A-calculus is made up of two classes of expressions called 
types and pre-terms which are defined, respectively, by the following grammar rules. 



Here x is variable occurrence and in the expression (Ax : a. t) the x is to be considered bound 
within the expression t. We assume the standard notions of binding including free and bound 
variables, equivalence under renaming of bound variables, and a notion of capture-avoiding 
substitution denoted by t[x := s]. Note, however, that when one formally specifies this 
system within a framework, these notions will need to be dealt with somehow. We will 
denote types using variables named a, 6, c, and d, pre-terms using variables named m, n, 
r, s, t, and v, and object language variables using x, y, and z. 

We define a notion of big-step call-by-name weak reduction which we call simply evalu- 
ation. This is denoted by the judgment t ij. v which can be read as "t evaluates to v." The 
rules for forming derivations of this judgment are presented in Figure II. 1[ 

We define a notion of typing via the judgment T \- t : a which can be read as "t has 
type a relative to the context F." Here F is called a typing context and is described by the 



a ::= i a 



a 
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m J| (Ax: a. r) r[x := n] ij. v 



(Ax: a. r) JJ. (Ax: a. r) {m n) ij- v 

Figure 1.1: Evaluation in the simply- typed A-calculus 

x-.aGT T,x:a^r:b ^ F h m : a ^ b F h n : a 

r h X : a r h (Ax :a. r) : a ^ b F h (m n) : b 

Figure 1.2: Typing in the simply- typed A-calculus 

following grammar. 

F ::= • I F, X : a 

We will write a context of the form •, xi : oi, . . . , x^ : simply as xi : ai, . . . , x„ : a„. We 
define dom(xi : ai, . . . , x„ : a„) as {xi, . . . , x„}. In F, x : a we require that x ^ dom(F). 
We satisfy this restriction by renaming bound variables as needed. The rules for forming 
derivations of the typing judgment are presented in Figure [L2l If t is a pre-term such that 
there exists a type a for which F \- t : a holds, then we call t a term. 

We can now think of encoding the simply-typed A-calculus into our specification logic. 
This begins with the constructors i and arr for representing the base and arrow types. We 
also use the constructors app and abs for representing applications and abstractions. Using 
a higher-order abstract syntax encoding there is no constructor for variables, and instead 
the abs constructor takes two arguments: 1) the type of the abstracted variable and 2) 
a specification logic abstraction representing the body. For example, the object language 
term (Ax : i. (Ay : i. x)) is denoted by (abs i (Ax. abs i (Ay.x))) where these latter As are 
specification logic abstractions. 

We introduce the specification logic predicates evai and of for representing evaluation 
and typing judgments respectively. Assuming a Horn clause-like specification logic, the 
rules for forming evaluation and typing judgments are encoded into the specification logic 
formulas shown in Figure 11.31 This specification uses various features of the specifica- 
tion logic which go beyond simple Horn clauses such as function application for realizing 
capture-avoiding substitution, universal quantification to avoid explicit side-conditions, and 
specification logic hypotheses for representing typing contexts. The complete details of this 
specification are presented in Chapter [2l For now it is sufficient to appreciate that the 
structural operational semantics description of the simply-typed A-calculus can be encoded 
very directly into the specification logic. Moreover, a Prolog-like operational interpretation 
of proof search for the specification logic yields a prototype for our specification. 

Returning to the original structural operational semantics description of the simply- 
typed A-calculus for the moment, let us think of proving some global property of the system. 
One such property of interest is that evaluation preserves the type of a term, called the type 
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Va, m.[eval {abs a m) (abs a m)] 

Vm, a, r, n, v.[eval m {abs a r) D eval {r n) v D eval {app m n) v\ 

Vm, a, 6, n.[of m (arr a 6) DofnaDof {app m n) h] 
Va, r, 6.[(Vx.of x a D of (r x) 6) D of {abs a r) {arr a b)] 

Figure 1.3: A Horn clause-like encoding of evaluation and typing 

preservation property. Let us consider how such a property can be proved in an informal, 
mathematical setting. We might proceed by first showing the auxiliary properties of typing 
judgments that are contained in the following two lemmas. 

Lemma 1.2.1. If T h t : a and T' is a permutation of T, then T' \- t : a. Moreover, the 
derivations have the same height. 

Proof. The proof is by induction on the height of the derivation of F h t : a. □ 
Lemma 1.2.2. IfT,x:a\-t:b and T \- s : a then F h t[x := s] : b. 

Proof. The proof is by induction on the height of the derivation of T,x : a \- t : b. In the 
case where t is an abstraction we use Lemma ll.2.1l to permute the assumption x : a to the 
end of the context. □ 

We can now state and prove the main property of interest. 

Theorem 1.2.3. If t ij. v and \- t : a then \- v : a. 

Proof. The proof is by induction on the height of the derivation of t J| w. 

Base case. If the derivation has height one then it must end with the following. 

(Ax : a. r) JJ. (Ax : a. r) 

Then t = v and the result is trivial. 

Inductive case. If the derivation has height greater than one, then it must end with the 
following. 

m -Jj. (Ax: 6. r) r[x := n] ij. v 

{m n) ij. V 

Here t = {m n) and we have shorter derivations of m JJ. (Ax : h. r) and r[x := n] JJ. v. By 
assumption we know that h {m n) : a holds which means it has a derivation which must 
end with 

|-m:c— >a \- n : c 
h {m n) : a 
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for some type c. Now we can apply the inductive hypothesis to m Jj- {Xx : b. r) and 
h m : c — > a to obtain a derivation of h (Ax : 6. r) : c ^ a. Then it must be that b = c and 
this derivation ends with the fohowing rule. 

X : b\- r : a 
h (Ax -.b. r) : b ^ a 

By Lemma 11.2.21 we have a derivation of h r[x := n] : a. Finally, we use the inductive 
hypothesis on r[x := n] JJ. w and this typing judgment to conclude \- v : a. □ 

Our objective is to carry out the style of reasoning described above in a formalized, 
computer-supported way. The framework that we will develop in this thesis will support 
such an ability. The key to doing this is designing a meta-logic for reasoning directly 
about the specification logic and, in this particular instance, the descriptions of evaluation 
and typing that have been encoded in it. The meta-logic that we will describe will allow 
the specification logic to be encoded as a definition in it, which then leads to the ability 
to reason, within the meta-logic, about the structure of specification logic derivations. 
Since these derivations have a close correspondence to the structural operational semantics 
derivations, a reasoning process very similar to that in Theorem 11.2.31 can be carried out 
within the meta-logic. Moreover, Lemmas 11.2.21 and II. 2. II turn out to be instances of more 
general properties of the specification logic, and thus one can essentially obtain these results 
for free. 



1.3 The Contributions of this Thesis 

The framework that we are interested in developing in this thesis is characterized by a 
specification logic, a meta-logic, and an integration of these logics in a way that supports 
the two-level logic approach to reasoning. We shall base our specification logic on the 
intuitionistic theory of higher-order hereditary Harrop formulas [MNPSQl] . This theory, 
which supports higher-order abstract syntax, underlies the AProlog programming language 
|NM88j and descriptions written in it can be animated using the Teyjus system GHN^oH 



|Qi09| . Our focus in this work is on developing the meta-logic and the two-level logic 
approach to reasoning and on demonstrating their practical usefulness. 

The starting point for our work will be a variant of the meta-logic called FOX^^ 
described by McDowell and Miller |MMOO| that also supports the notion of higher-order 
abstract syntax. Further, our work will be inspired by the two-level logic approach to 
reasoning also described by McDowell and Miller [MM02j : from one perspective, we will 
mainly be strengthening the foundations of this approach and demonstrating how that it can 
be exploited effectively in practice. The specific realization of the two-level logic approach 
to reasoning in the work of McDowell and Miller is based on FOX^^ together with the 
same specification logic that we will be using in our framework. One of the most significant 
components of FOX^^ is a definition mechanism which allows one to reason about "closed" 
descriptions of systems. Thus, one can use the logic to perform case analysis-like reasoning 
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about the behavior of an encoded system. This definition mechanism is based on earher work 
on closed- world reasoning by many others, but most notably by Schroeder-Heister |SH93j . 
Eriksson |Eri91j . and Girard |Gir92j . The FOX^^ logic includes within it a mechanism 
for induction on natural numbers. Tiu extended this capability in the meta-logic Line 
to a more general one that allows definitions themselves to be treated inductively and co- 
inductively. The co-inductive treatment was initially limited, but Tiu and Momigliano have 
subsequently developed the logic Line" which removes these limitations |TM09j . 

McDowell and Miller's original meta-logic has also evolved in another way: the idea of 
generic judgments has been added to it to provide a better treatment of binding structure in 
higher-order abstract syntax representations than that afforded by the universal judgments 
originally used for this purpose. More specifically. Miller and Tiu introduced a new quan- 
tifier called V which provides an elegant way to decompose higher-order abstract syntax 
representations by mapping term-level binding structure into a closely related proof-level 
binding structure. However, the original treatment of the V quantifier interacted poorly 
with inductive and co-inductive reasoning. This has motivated Tiu to develop the logic 
LG^ which refines the treatment of this new quantifier by including certain structural rules 
for it [TiuOGj . 

This thesis makes contributions to the setting described above by further strengthening 
the meta-logic, by using it to develop an actual computer-based system for reasoning about 
specifications, and by demonstrating the benefit of the overall framework through actual 
reasoning applications. We discuss these contributions in more detail below. 

1. We define a meta-logic called Q which improves on previous logics such as Line and 
LC^ . These other logics allow one to decompose higher-order abstract syntax by 
introducing V-quantified variables into the structure of terms. These variables act 
like proof-level binders and allowed one to reason about the binding structure of 
objects without explicitly selecting variable names. However, these logics do not 
have any way to analyze the structure of terms with respect to the occurrences of 
such proof-level bound variables, a task which is common to almost all reasoning 
about binding structure. The meta-logic G rectifies this situation by providing a 
generalization of the notion of equality which allows for exactly the type of analysis 
described. This generalized notion of equality behaves well with respect to definitions, 
induction, and co-induction. We establish consistency and more generally the cut- 
elimination property for Q, and we find that this meta-theory is a natural and pleasing 
extension of the meta-theory of previous logics. These contributions are the contents 
of Chapters [3] and m 

2. The two-level logic approach had previously not been implemented and, hence, tested 
and the Line logic had received only a partial implementation in a system called 
Bedwyr |BGM"'"d6 . This thesis develops, for the first time, a complete realization 



of the reasoning component of the proposed framework. In particular, it develops a 
system called Abella that implements the meta-logic Q and supports the two-level 
logic approach to reasoning. Abella greatly extends the capabilities of Bedwyr by 
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incorporating full inductive and co-inductive reasoning capabilities. Experiments with 
Abella have largely verified the effectiveness of the framework it supports, and this 
aspect of our work has consequently contributed significantly to demonstrating the 
practicality of the two-level logic approach to reasoning. The discussion of Abella and 
its architecture is the content of Chapter [5l 

3. We use Abella to expose a methodology of proof construction within the proposed 
framework which has a close correspondence with traditional pencil-and-paper proofs. 
We formally prove part of this correspondence through adequacy results for our two- 
level logic approach, and we demonstrate how to prove the full correspondence between 
the two-level logic approach to reasoning and traditional pencil-and-paper proofs. 
Finally, though concrete examples, we showcase the expressive power of the meta- 
logic G and the practical benefits of the two-level logic approach to reasoning. These 
contributions are the contents of Chapters [6] and [71 

We note that the work described in this thesis has already contributed to the tools and 
techniques used by other researchers. The Abella system, that has been freely distributed, 
has been downloaded and experimented with by several researchers. It has also been used 
in at least one instance to verify a paper-and-pencil proof in a research paper |TM08| . 

1.4 Overview of the Thesis 

In Chapter [2] we present the specification logic used in our proposed framework. We prove 
properties of this logic which make it a good basis for reasoning about object systems. We 
then encode the example of the simply-typed A-calculus within the specification logic and 
prove the type preservation property via this encoding. The reasoning techniques used in 
this proof motivate some of the design of the meta-logic Q. We pick up on the specification 
logic again when we discuss the two- level approach to reasoning in Chapter [6l 

Chapter [3] introduces the meta-logic Q and its various features including an extended 
notion of equality, a definition mechanism for encoding specifications, and induction and 
co-induction capabilities. We show how the extended notion of equality can be combined 
with the definition mechanism to produce a useful way of describing certain objects which 
occur frequently when reasoning over higher-order abstract syntax descriptions. Finally, we 
provide examples which highlight the expressiveness of the new extended notion of equality. 
The contents of this chapter and the next also appear in [GMNOSal [GMN09J . 

We develop the meta-theory of the meta-logic Q in Chapter[4l The primary result of this 
chapter is the proof of cut-elimination which we use to prove other useful properties relative 
to our meta-logic. We discover here that there is a nice (meta-theoretic) modularity to our 
use of an extended notion of equality as the basis for endowing Q with richer capabilities 
than the logics it builds on. In particular, we are able to reuse in this chapter much of the 
meta-theory already developed for Line" |TM09j . thereby greatly reducing the effort that 
is needed for proving properties such as cut-elimination. 
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In Chapter [5] we describe the Abeha system and its architecture. We describe the role 
of lemmas and lemma-like hypotheses during proof construction, and we show how the 
induction and co-induction rules of Q can be presented to the user in a very natural way. 

Chapter [6] brings together the specification logic and the meta- logic to develop the two- 
level logic approach to reasoning. In particular, this chapter describes how the specification 
logic can be embedded in the meta-logic and what benefit this has towards formalizing 
the properties of the specification logic. We reconsider the example of the simply-typed 
A-calculus and using the two-level logic approach to reasoning we provide a very short and 
elegant proof of type preservation. Finally, we show that our encoding of the specification 
logic is adequate subject to some minor conditions. 

Using the two-level logic approach to reasoning and its embodiment in the Abella theo- 
rem prover we present larger applications of our framework in Chapter [71 These applications 
are intended to highlight the strengths and weaknesses of the two-level logic approach to 
reasoning. They include examples such as the POPLmark challenge ABF"'"05j and Girard's 
proof of strong normalization for the simply-typed A-calculus. 

In Chapter [8] we compare our framework against other approaches to specifying, proto- 
typing, and reasoning about computational systems with binding. 

We conclude this thesis in Chapter [9] and discuss various avenues of future work. These 
range from foundational extensions which would increase the expressive power of the meta- 
logic to more implementation oriented extensions which would better facilitate the reasoning 
process. 



Chapter 2 



A Logic for Specifying Computational Systems 

The primary requirement of a specification logic within the framework that we want to 
develop is that it allow for a transparent encoding of the kinds of formal systems that are of 
interest to us. In particular, such an encoding should cover both the objects manipulated 
within the formal system and the rules by which they are manipulated. In the context of our 
work, we are particularly concerned with the representation of objects that incorporate a 
variable binding structure. A logically precise encoding of such structure plays an important 
role in the overall treatment of the relevant computational systems. An encoding that 
has this character usually requires the treatment of concepts related to binding, such as 
equality under bound variable renaming and capture-avoiding substitution. If these aspects 
are not dealt with in a systematic way within the specification logic, they can overwhelm 
the process of constructing encodings and can make the subsequent process of reasoning 
about specifications unnecessarily complex. We therefore seek a specification logic which 
incorporates a fiexible and sophisticated treatment of variable binding structure and which 
also builds in the related binding notions. 

In this chapter we introduce the specification logic of second-order hereditary Harrop 
formulas, abbreviated hH^. This logic is essentially a restriction of the logic of higher- 
order hereditary Harrop formulas [MNPS91] that underlies the language AProlog [NM88] . 
The hH^ logic can be seen as an extension of the Horn clause logic, the logic that un- 
derlies Prolog, with devices for representing, examining, and manipulating objects with 
binding structure. In particular, hH^ allows for a higher-order abstract syntax represen- 
tation of objects with binding structure |MN871 IPEBSj . Thus issues of variable renaming 
and capture-avoiding substitution are taken care of once and for all in the specification 
logic, leaving particular specifications free to focus on the more essential aspects of the 
system they encode. Furthermore, like the logic of higher-order hereditary Harrop formulas 
that it derives from, hH^ admits an operational semantics which allows specifications to be 
animated automatically thus yielding quick prototypes of the computational systems they 
encode. 

In this chapter we formally define the hH^ logic, describe its operational semantics, state 
and prove properties of the logic, and demonstrate its use through a concrete example. 

2.1 The Syntax and Semantics of the Logic 

Following Church [Chu40j , terms in hH^ are constructed using abstraction and application 
from constants and bound variables. All terms are typed using a monomorphic typing 



10 



2.1. THE SYNTAX AND SEMANTICS OF THE LOGIC 



11 



system. The provability relation concerns well-formed terms of the the distinguished type o 
that are also called formulas. Logic is introduced by including special constants representing 
the prepositional connectives T, A, V, D and, for every type r that does not contain o, the 
constants V,- and 3^ of type (r ^ o) ^ o. We do not allow any other constants or variables 
to have a type containing the type o. The binary propositional connectives are written as 
usual in infix form and the expressions Mt-x.B and El^x.-B abbreviate the formulas \/t^x.B 
and 3tXx.B, respectively. Type subscripts will be omitted from quantified formulas when 
they can be inferred from the context or are not important to the discussion. We also 
use a shorthand for iterated quantification: if Q is a quantifier, we will often abbreviate 
Qxi . . . Qxn-P to Qxi, . . . , Xn-P or simply Qx.P. We consider the scope of A-binders (and 
therefore quantifiers) as extending as far right as possible. We further assume that D is 
right associative and has lower precedence than A and V. For example, Vx.ti D t2 D At4 
should be read as Vx.(ti D (t2 ^ (^3 A t^))). 

We restrict our attention to two classes of formulas in hH^ described by the following 
grammar. 

G ::= T I ^ I ^ D G I V^x.G | 3rX.G | G A G | G V G 
D ::= A\Gd D \ V^x.D 

Here A denotes an atomic formula. The formulas denoted by G are called goals and repre- 
sent the conclusions we can infer in the logic. A notable restriction on implication in goal 
formulas is that the left hand side must be an atomic formula. Formulas denoted by D are 
called definite clauses and represent the hypotheses we can assume in the logic. Notice that 
disjunctions and existentials are not allowed in definite formulas because they represent 
indefinite knowledge. For simplicity, we also disallow conjunction, but the effect of con- 
junctions can be recovered by using a set of clauses in place of a single clause. The order of 
a formula is the depth of implications which are nested to the left of other implications. Our 
restriction on implication means goal formulas are at most first-order and definite clauses 
are at most second-order. It is precisely this restriction which carves out the logic of second- 
order hereditary Harrop formulas from the larger logic of higher-order hereditary Harrop 
formulas. Finally, by using logical equivalences we can percolate universal quantifiers to 
the top, to rewrite all definite clauses to be of the form Vxi . . . \/xn-{Gi D ■ ■ • D Gm ^ A) 
where n and m may both be zero. In the future we will assume all definite clauses are in 
this form. 

The semantics of hH^ are formalized by means of a proof-theoretic presentation of what 
it means for a goal to follow from a set of definite clauses. Specifically, we will be concerned 
with the derivation of sequents of the form S : A h G where A is a list of D-formulas, G 
is a G- formula, and E is a set of variables called eigenvariables. For such a sequent to be 
well-formed, we require that the formulas in A U {G} must be constructed using using only 
the logical and non-logical constants of the language and the eigenvariables in S. This well- 
formedness condition is guaranteed for every sequent considered in a derivation by ensuring 
that we try to construct derivations only for well-formed ones at the top-level and by the 
use of typing judgments of the form S h i : r in rules that introduce new terms when these 
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S : A h T 



TRUE 



S : A h Gi 
S : A h Gi V G2 



ORi 



S : A h G2 
S : A h Gi V G2 



ORo 



S:AhGi S:AhG9 S:Ah G[t/x] 

^ AND ^^^^^^ INSTANCE 



S : A h Gi A G2 



S : A h 3x.G 



S:A,AhG SU{c:r} : A h G[c/x] 

AUGMENT ' ' ^, — 7^-^ GENERIC 



S : A h A D G 



S : A h V^x.G 



E : A h Gi[t/x] 



E : A h G„[f/x] 



BACKCHAIN 



E : A h ^ 

where Vx.(Gi D • • • D G^ D A') G A and yl'[t7x] = A 
Figure 2.1: Derivation rules for the hH^ logic 



rules are interpreted in a proof search direction. The meaning of this typing judgment, that 
we do not explicitly formalize here, is the following: for it to hold, the term t must have 
the type r and it must also be constructed using only the non-logical constants and the 
eigenvariables in E. 

The rules for constructing proofs for such sequents are presented in Figure 12. li The 
GENERIC rule introduces an eigenvariable when read in a proof search direction. There 
is a freshness side-condition associated with this eigenvariable: c must not already be in 
E. Note that for this to be possible, we must assume that there is an unlimited supply of 
eigenvariables of each type. In the INSTANCE rule t is required to be a term such that 
E h t : r holds. Similarly, in the BACKCHAIN rule for each term € i we must have 
E h tj : Tj where Tj is the type of the quantified variable Xi. An important property to note 
about these rules is that if we use them to search for a proof of the sequent A h G, then 
all the intermediate sequents that we will encounter will have the form A,C h G' for some 
G-formula G' and some list of atomic formulas C. Thus the initial context A is global, and 
only atomic formulas are added to the context during proof construction. 

In presenting sequents in later parts of this thesis, we shall occasionally omit writing 
the signature. We will do this only when either the identity of the signature is irrelevant to 
the discussion of when it can be inferred from the context. 

The rules of hH^ admit a simple proof search procedure: given a sequent A l- G we 
decompose the goal G until we reach an atomic formula at which point we backchain and 
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attempt to prove the resulting goals. This is, in fact, a manifestation of the uniform proofs 
property that hH^ inherits from the parent logic of higher-order hereditary Harrop formulas 
|MNPS9T] . The resulting procedure is non-deterministic since we have a choice when the 
goal is a disjunction, an existential, or an atomic formula (we can choose which clause 
to backchain on). The non-determinism induced by existentials can be handled using the 
standard notion of instantiatable variables and unification while the non-determinism of the 
OR and BACKCHAIN rules can be handled using depth-first search complemented with 
backtracking. Computations described by hH^ are included within those corresponding to 
AProlog and can therefore be compiled and executed efficiently, e.g., by the Teyjus system 
[GHN+n8l[Qi09l . 

2.2 Properties of the Specification Logic 

We will eventually encode object logic judgments into specification logic judgments. By 
doing this, we enable ourselves to use properties of the specification logic in proving prop- 
erties of the object logic. Therefore in this section we enumerate the various properties of 
the hH^ logic which may be useful in such reasoning. The proofs of these properties will 
be based on induction over the height of a derivation, a notion we define now. 

Definition 2.2.1. The height of a derivation U, denoted by ht(n), is 1 ifH has no premise 
derivations and is max{ht(nj) + IjjgL.n */n has the premise derivations {nj}jgi..„. 

The monotonicity property of hH^ states that the eigenvariables and the context of a 
sequent can always be expanded while preserving provability. 

Lemma 2.2.2. Let T, : A \- G be a well-formed sequent, let A' be a list of definite clauses 
such that A C A', and let T,' be a set of eigenvariables such that S C S' and S' contains all 
the eigenvariables of A' . If T, : A \- G has a derivation then T,' : A' \- G has a derivation. 
Moreover, the height of the derivation does not increase. 

Proof. Induction on the height of the derivation of S : A h G. □ 

The instantiation property states that a eigenvariable c which arises from a use of the 
GENERIC rule can always be instantiated with a particular value while preserving prov- 
ability. As a result, our use of eigenvariables to denote universal quantification in hH^ is 
well justified. 

Lemma 2.2.3. Let c be a variable not inT,. // S U {c : r} : A h G has a derivation then 
for all terms t such that T, ^ t : t there is a derivation of Ti : A[t/c\ h G[t/c\. Moreover, 
the height of the derivation does not increase. 

Proof. Induction on the height of the derivation of S U {c : r} : A h G. □ 

Finally, the cut admissibility property says that the assumption of an atomic formula 
can be discharged if the atomic formula is itself provable. 
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Lemma 2.2.4. If ^ : A, A\- G and T, : A h A then S : A h G. 

Proof. Induction on the height of the derivation of T, : A, A \- G. There are two interesting 
cases. The first case is when G is A' D G' in which case we must apply the monotonicity 
property to move from T, : A, A, A' \- G to T, : A, A', A \- G. The other case is when the 
BACKCHAIN rule selects A, in which case the derivation of S : A h ^ can be substituted. 

□ 

2.3 Example Encoding in the Specification Logic 

We now take the example of evaluation and typing for the simply-typed A-calculus from 
Section 11.21 and we encode it into the specification logic. We introduce the specification 
logic types tp and tm for representing types and pre-terms respectively in the simply-typed 
A-calculus. Types in the simply-typed A-calculus will be mapped to specification logic terms 
constructed from the constants i and arr of types tp and tp ^ tp ^ tp, respectively. Pre- 
terms in the simply-typed A-calculus will be mapped to specification logic terms constructed 
from the constants app and abs of types tm — > tm — >■ tm and tp (tm — > tm) — > tm, 
respectively. Notice that the second argument of abs is expected to be an abstraction 
over tm in the specification logic. Finally, we will have two constants of and eval of types 
tm tp ^ o and tm tm o, respectively, which denote typing and evaluation, 
respectively. The clauses for these predicates are presented in Figure 12.21 Here and in the 
future we use the convention that tokens given by capital letters denote variables that are 
implicitly universally quantified over the entire formula. In the second clause for evaluation, 
R is an abstraction in the specification logic and thus the built-in notion of /3-reduction 
means that {R N) realizes capture-avoiding substitution of in for the bound variable in 
R. For the typing judgment, we do not keep an explicit context of typing assumptions, 
instead relying on the specification logic context. This is refiected in the rule for typing 
abstractions where we use the V quantifier to create a fresh eigenvariable and we assume 
that this eigenvariable has the proper type while we derive a typing assignment for the 
body of the abstraction. In this way, we avoid having an explicit base case for typing. 
Next, when we reason about this specification we will be able to exploit this encoding of 
the typing context. 

Using this encoding, we can now repeat the proof of type preservation and leverage on 
the properties we have shown of the hH^ logic. Let A be the clauses from Figure 12. 2[ 

Theorem 2.3.1. //Ah evai e v holds and Ahofet holds then Ah ofv t holds. 

Proof. By induction on the height of the derivation of A h evai e v. We proceed by cases on 
the derivation of A h evai e v. This judgment must have been derived by backchaining on 
one of the clauses for evai. If it was by the first clause, then e = v and the case is complete. 
Otherwise it was by the second clause so e must be (app m n) for some m and n and we 
have shorter derivations of A h evai m (abs a r) and and A h evai (r n) v for some a and 
r. By similarly examining the derivation A h of (app m n) t we must have derivations 
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eval (abs AM) {abs A M) 

eval M (abs A R) Z) eval {R N) V D eval {app M N)V 

ofM (arr A B) D ofN ADof {app M N) B 
(^ix.ofx ADof{R x) B) D of{ahs A R) (arr A B) 

Figure 2.2: hH'^ specification of evaluation and typing 

of A h of m (arr h t) and A 'r of n b for some b. Applying the inductive hypothesis to 
A h evaJ m (abs a r) and A h of m (arr b t) we have A h of (abs a r) (arr b t). This 
derivation could only result if a = b and we have a derivation of A h Vx [of x a D of (r x) t] 
and thus a derivation of A, of c o h of (r c) t for some eigenvariable c. Now we can apply the 
instantiation property of our specification logic to get a derivation of A, of n a h of (r n) t. 
Next we apply the cut property with our derivation of A h of n a to get A h of (r n) t. 
Finally, we apply the inductive hypothesis again to A h of (r n) t and A h evai (r n) v to 
get Ahofvt which completes the proof. □ 

It is important to note in this proof that we did not have to prove a type substitution 
property for the object logic. Instead, the object logic inherited this property from the more 
general instantiation and cut properties of the specification logic. Also, induction over the 
height of specification logic derivations corresponded with induction over the height of 
object logic derivations. Thus we can reason about computational systems through their 
encoding in the specification logic with little overhead cost. 

2.4 Adequacy of Encodings in the Specification Logic 

A tacit assumption in the example we considered in the previous section is that the spec- 
ification of pre-terms, types, typing, and evaluation are all faithful representations of the 
corresponding concepts in the object logic. This kind of property of encodings is referred to 
as the adequacy property. We must, of course, prove such a property before we can derive 
benefit from it. To do this, we need to prove that there is a bijection between components of 
the object logic and their specification logic representations and that this bijection preserves 
properties of relevance in the two systems. With specific reference to the example encoding 
we have considered, we have to show that each object in the simply-typed A-calculus has a 
unique representation in the specification logic, and each representation in the specification 
logic corresponds to a unique object in the simply-typed A-calculus. We show below how 
such arguments are typically carried out. 

To simplify the argument we will assume an implicit mapping between bound variables 
in the object language and bound variables in the specification language, and between free 
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variables in the object language and eigenvariables in the specification language. A more 
rigorous treatment of adequacy would make this mapping explicit |Fel89] . 

We define the bijections cptp, (ptm, (pevai, ^Pctx, and (pof which are used to map types, pre- 
terms, evaluation judgments, typing contexts, and typing judgments in the simply-typed 
A-calculus to their corresponding representations in the specification logic. We will omit the 
subscripts on cf) when they can be inferred from context. The proofs that these mappings are 
bijective are always by straightforward induction on the size of terms or strong induction 
on the height of derivations. 

Types in the simply-typed A-calculus map to terms of type tp in the specification logic. 
We formalize this mapping as follows. 

= i (l){a — > 6) = arr (j){a) 0(6) 

This function is clearly a bijection. 

Next we define the mapping between a-equivalence classes of pre-terms in the object 
logic and terms of type tm in the specification logic. 

(/>(x) = X (j)[m n) = app (j){m) (j){n) (f)[\x:a. r) = abs (j){a) {Xx.(p{r)) 

In the last rule for this mapping note that the A within the (p is that of the simply-typed 
A-calculus while the one outside of is from the specification logic. This mapping is 
clearly bijective under the assumption that a-convertible terms in the specification logic 
are considered to be identical. 

Let A be the clauses from Figure 12.21 Then derivations of evaluation judgments in 
the simply typed A-calculus correspond to derivations of the sequent A h eval e v in the 
specification logic as follows. First consider the translation of evaluation for abstractions: 

*^ ( Ax : a. t JJ. Ax : a. t ) Ah evai (j){Xx : a. t) (j){\x : a. t) 

~ A h eval (abs 0(a) (Ax.0(t))) (abs 0(a) (Ax.0(t))) 

Here and in the future we propagate the mapping to make it clear that the specification 
logic inference rules are well-formed. In this case, the right-hand inference rule an instance 
of the BACKCHAIN rule over the clause for evaluating abstractions. 
The translation for evaluations of applications is the following. 

1^ I mJJ.Ax:a. r r[x:=n]\\,v I 
\ m n \\.v I 



m J| Ax : a. r 



r[x := n] J| t> 



A h evaJ 0(?7i n) <^{y) 
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In the final formula, wc make use of the automatic /3-conversion in the specification logic 
where (Ax.0(r)) (/)(n) = (j){r)[4>{n)/x], and we use the following compositional property of 
the bijection for terms. 



This equation relates the substitution of the simply-typed A-calculus on the left with the 
substitution in the specification logic on the right. The proof of this equality is by induction 
on the structure of r. Thus the inference rule on the right-hand side above is a proper 
instance of the BACKCHAIN rule over the clause for evaluating applications. The inverse 
of the (j) mapping is defined in the natural way and thus is a bijection. 

Finally, we look at derivations of typing judgments in the simply-typed A-calculus and 
we map these to derivations of sequents of the form A, C \- of e t where £ is a list of atomic 
formulas of the form ofxi ai, . . . ,ofxk ak where each Xi is a unique eigenvariable. We first 
define the following bijection between a list of typing assumptions V from the simply-typed 
A-calculus and a list of atomic formulas of the form described for C. 



If the typing derivation within the (j) is correct then it must be that Xi : ai (z T. Thus the 
right-hand side is an instance of the BACKCHAIN rule on the clause of Xi (^{ai) which is 



(j){r[x := n]) = (f){r)[(f){n) / x] 



(j){xi : ai, . . . , Xfc : Ofc) = of xi 0(ai), . . . , ofxk 0(afc) 



Given this, we can define the mapping for typing variables as follows. 




in 0(r). 

The typing rule for applications is mapped in the expected way: 





A,0(r) h of(f){m n) (t){h) 



0(:) <t>(--) 
= A, 0(r) h of 0(m) (arr 0(a) 0(6)) A, 0(r) h of 0(n) 0(a) 



A,0(r)h of (app 0(m) 0(n))) 0(6) 
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For mapping the abstraction typing rule, we need to be mindful of the variable naming 
restriction and how this is realized in the specification logic. Suppose we want to define the 
following mapping. 



Here we assume that x does not appear in F so that the naming restriction is satisfied. We 
map this to the following specification logic derivation. 



In the GENERIC rule we overload notation to let x be the eigenvariable we select. Since 
it does not appear in F it will not appear in ^(F), and thus the freshness side-condition on 
the GENERIC rule is satisfied. In fact, the naming restriction in the object logic matches 
up with the freshness side-condition in the specification logic exactly as needed. 

The inverse of the (f) mapping for typing judgments can be defined in the expected way, 
and thus ^ is a bijection. This concludes the proof of adequacy for our specification. In the 
future we will omit such arguments since our specifications are often transparent encodings 
of the systems they represent. 




\r h {Xx:a. r) : a ^ b J 




AUGMENT 

—777 GENERIC 

(pib)\ 

--TT^T BACKCHAIN 



Chapter 3 



A Logic for Reasoning About Specifications 

In this chapter we present the meta- logic Q. This logic allows for encoding descriptions 
of computational systems and for reasoning over those descriptions. The logic includes 
traditional reasoning devices such analysis, induction, and co-induction as well as 

new devices specifically designed for working with higher-order abstract syntax. 

The relevant history of Q begins with the meta-logic FOX''^^ developed by McDowell and 
Miller for the purposes of inductive reasoning over higher-order abstract syntax descriptions 
|MM02l IMMOO] . This logic contains a definition mechanism which allows one to specify and 
reason about closed- world descriptions, i.e., allows one to form judgments and to perform 
case analysis on them. This definition mechanism is based on earlier work on closed- 
world reasoning by many others, but most notably by Schroeder-Heister jSH93j . Eriksson 
|Eri91j . and Girard [Gir92] . The primary contribution of FOX'^^ was the recognition 
that definitions provided a way of encoding higher-order abstract syntax descriptions in 
such a way that does not conflict with inductive reasoning. In particular, FOX^^ allowed 
for natural number induction, and so many reasoning tasks could be naturally encoded. 
More recently, Tiu [Tiu04j developed the meta-logic Line which extends the mechanism of 
definitions to integrate notions of generalized induction and co-induction over the structure 
of definitions. These more general notions are present in Q as well. 

Another central advancement in the development of logics for reasoning over higher- 
order abstract syntax descriptions was the recognition that one needed a way to refiect the 
binding structure of terms into the structure of proofs. This was realized in earlier logics by 
using universal judgments. However, this kind of correspondence was always an uneasy one 
and the mismatch became explicit when it was necessary to use case analysis arguments over 
binding structure as must be done, for example, in bisimilarity proofs associated with vr- 
calculus models of concurrent systems. The desire to provide a logically precise and cleaner 
treatment led to the development of the V-quantifier and the associated generic judgment 
by Miller and Tiu in the meta-logic FOX^^ [MT05] . Tiu later refined this notion in 
the meta-logic LC^ so that V-quantifier behaved well with respect to inductive reasoning 
|Tiu06j . This interpretation of the V-quantifier is present in Q, and in this context it can 
be understood as quantifying over fresh names. 

The meta-logic ^ is a continuation of the research surrounding inductive reasoning and 
higher-order abstract syntax descriptions. In particular, it extends the notion of equality 
in the logic to one which can describe the binding structure of terms relative to the proof 
context in which they occur. This turns out to be essential to describing the structure 
of terms which are generated during inductive reasoning over higher-order abstract syntax 
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descriptions. Moreover, Q identifies how this extended notion of equality can be integrated 
with the definition mechanism to allow a succinct description of such objects. 

The presentation of G is divided into three parts. First, Section [3. II contains the core of 
the logic including generic quantification. Then Section [3.21 introduces the extended notion 
of equality known as nominal abstraction and rules for treating this notion within the logic. 
Finally, Section [3]3] presents rules for treating fixed-points in the logic including mechanisms 
for induction and co-induction. Although the logical features of Q are described in their 
entirety in the first three sections, it is sometimes convenient to use an alternative presenta- 
tion for fixed-point definitions. This form, which uses patterns to distinguish different cases 
in the structure of the atom being defined, is introduced in Section 13.41 and is elaborated 
as an interpretation of the basic form of definitions that uses nominal abstractions explic- 
itly. Rules for treating this alternative form of fixed-points are presented and proven to be 
admissible. Finally, Section 13.51 provides some small examples to illustrate the expressive 
power of the logic. 

3.1 A Logic with Generic Quantification 

In this section we present the core logic underlying Q. This logic is obtained by extending an 
intuitionistic and predicative subset of Church's Simple Theory of Types with a treatment 
of generic judgments. The encoding of generic judgments is based on the quantifier called V 
(pronounced nabla) introduced by Miller and Tiu [MT05| and further includes the structural 
rules associated with this quantifier in the logic LG^ described by Tiu [Tiu06| . 

3.1.1 The Basic Syntax 

Following Church |Chu40j . terms are constructed from constants and variables using ab- 
straction and application. All terms are assigned types using a monomorphic typing system; 
these types also constrain the set of well-formed expressions in the expected way. The collec- 
tion of types includes o, a type that corresponds to propositions. Well-formed terms of this 
type are also called formulas. Two terms are considered to be equal if one can be obtained 
from the other by a sequence of applications of the a-, (3- and r/-conversion rules, i.e., the 
A-conversion rules. This notion of equality is henceforth assumed implicitly wherever there 
is a need to compare terms. Logic is introduced by including special constants representing 
the propositional connectives T, _L, A, V, D and, for every type r that does not contain o, 
the constants V,- and 3,- of type (r — > o) — > o. The binary propositional connectives are 
written as usual in infix form and the expressions MrX.B and B^-x.-B abbreviate the formulas 
\/t-\x.B and ^r^x.B, respectively. Type subscripts will be omitted from quantified formulas 
when they can be inferred from the context or are not important to the discussion. We also 
use a shorthand for iterated quantification: if Q is a quantifier, we will often abbreviate 
Qxi . . . Qxn-P to Qxi, . . . ,Xn.P or simply Qx.P. We consider the scope of A-binders (and 
therefore quantifiers) as extending as far right as possible. We further assume that D is 
right associative and has lower precedence than A and V. For example, Vx.ti D t2 D t^ At^ 
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should be read as \/x.{ti D {t2 D (^3 A t4))). 

The usual inference rules for the universal quantifier can be seen as equating it to the 
conjunction of all of its instances: that is, this quantifier is treated extensionally. There are 
several situations where one wishes to treat an expression such as holds for all x" 

as a statement about the existence of a uniform argument for every instance rather than 
the truth of a particular property for each instance |MT05j : such situations typically arise 
when one is reasoning about the binding structure of formal objects represented using the A- 
tree syntax [MilOOj version of higher-order abstract syntax |PE88j . The V-quantifier serves 
to encode judgments that have this kind of a "generic" property associated with them. 
Syntactically, this quantifier corresponds to including a constant V,- of type (r — > o) — > o 
for each type r not containing o0 As with the other quantifiers, VrX.B abbreviates Vt^x.B 
and the type subscripts are often suppressed for readability. 

3.1.2 Generic Judgments and V-quantification 

Sequents in intuitionistic logic can be written as 

^■.Bu...,Bn^Bo (n>0) 

where S is the "global signature" for the sequent that contains the eigenvariables (i.e., vari- 
ables associated to the 3C and VTZ inference rules) relevant to the sequent proof. We shall 
think of T, in this prefix position as an operator that binds each of the variables it contains 
and that has the rest of the sequent as its scope. To treat the V-quantifier, the FOX^^ 
logic |MT05j extends the notion of a judgment from just a formula to a formula paired with 
a "local signature." Thus, sequents within this logic are written more elaborately as 

T. : ai> Bi,. . . ,an> Bn — > ctq > Bq, 

where each co, . . . , (T„ is a list of variables that are bound locally in the formula adjacent to 
it. Such local signatures correspond to a proof-level encoding of binding that is expressed 
within formulas through the V-quantifier. In particular, the judgment xi, . . . ,Xn> B and 
the formula Vxi • • • Vxn-B for n > have the same proof-theoretic force. In keeping with 
this observation, we shall refer to a judgment of the form a> B as a generic judgment. 

As part of a generalization of sequents that bases them on generic judgments rather than 
on formulas, we need to define when two such judgments are equal: this is necessary for 
describing at least the initial and cut inference rules. The FOX^^ logic [MT05j uses a simple 
form of equality for this purpose. It deems two gciiGric judgments of the form • • • ; 

t-B 

and yi, . . . ,ym> C to be equal exactly when the A-terms Axi . . . Xxn-B and Xyi . . . Xym-C 
are A-convertible; notice that this necessarily implies that n = m. An equality notion is also 
needed in formulating an induction rule. Unfortunately, the simple form of equality present 
in FOX^"^ leads to a rather weak version of such a rule. To overcome this difficulty, Tiu 



^ We may choose to allow V-quantification at fewer types in particular applications; such a restriction may 
be useful in adequacy arguments for reasons we discuss later. 
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proposed the addition to the logic of two natural "structural" identities between generic 
judgments. These identities are the V -strengthening rule Vx.F = F, provided x is not 
free in F, and the V -exchange rule VxVy.F = 'Vy'Vx.F. In its essence, the LG^ proof 
system |Tiu06| is obtained from FOX^^ by strengthening its notion of equality based on 
A-conversion through the addition of these two structural rules for V. 

The move from the weaker logic FOX^^ to the stronger logic LG^ involves an ontolog- 
ical commitment and has a proof-theoretic consequence. 

At the ontological level, the strengthening rule implies that every type at which one is 
willing to use V-quantification is non-empty and, in fact, contains an unbounded number 
of members. For example, the formula 3rX.T is always provable, even if there are no 
closed terms of type r because this formula is equivalent to VtU-^tX-T , which is provable. 
Similarly, for any given n > 1, the following formula is provable 



At the proof-theoretic level, an acceptance of the strengthening and exchange rules 
means that the length of a local context and the order of variables within it are unimportant. 
For example, a sequent that contains the generic judgments xi, . . . , Xn>B and yi, . . . ,ym>C 
can be rewritten (assuming n > m) using a-conversion and strengthening into the judgments 
zi, . . . , Zn> B' and zi, . . . , Zn> C' where B' and C' are equal to B and C modulo variable 
renamings. In this fashion, all local bindings in a sequent can be made to involve the same 
variables, and, hence, the local bindings can be seen as a global binding over a sequent that 
contains formulas and not generic judgments. The resulting sequent-level variable bindings 
will be represented by specially designated nominal constants. Notice, however, that each of 
these nominal "constants" has as its scope only a single formula. Thus, we must distinguish 
the same nominal constant when it appears in two different formulas and we should treat 
judgments as being equal if they are identical up to permutations of these constants. 

3.1.3 A Sequent Calculus Presentation of the Core Logic 

The logic G inherits from LG^ the shift from a local to a global scope in the treatment of 
the V-quantifier. In particular, we assume that the collection of constants is partitioned 
into the set C of nominal constants and the set JC of usual, non-nominal constants. We 
assume the set C contains an infinite number of nominal constants for each type at which V 
quantification is permitted. We define the support of a term (or formula), written supp(t), 
as the set of nominal constants appearing in it. A permutation of nominal constants is a 
type-preserving bijection vr from C to C such that {x \ ■k{x) ^ x} is finite. We denote the 
application of such a permutation to a term or formula t by vr.t and define this as follows: 






TT.a = vr(a), if a G C tt.c = c, if c ^ C is atomic 

7r.(A2;.M) = Ax.(7r.M) tt.{M N) = (vr.M) (vr.iV) 
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B^B' _ S:r — >B E:B,A — >C ^■.T,B,B — >C 



E:r,S — > B' S:r,A — >C Y.:T,B — >C 



±C tt—f; ^ T7^ 



E:r,± — >C S:r — >T 



AC, I e |1, 2} — — „ ^ „ A7^ 



S:r,BiAB2 — >C '-i^'J Sir — >SAC 



E:r — >B J::T,D — >C E:T,B — >C 

T,:T,Bd D — >C S : r — >B 5~C ^'^ 



E,/C,Cht:T T.:T,B[t/x] — >C T.,h:T — >B\hc/x\ ^ , . 



T.,h:V,B\hc/x\ — >C E,/C,Cht:r EiT — > B\tlx\ 

Y.:T,B\alx] — >C ^ , , ErT — >B[a/x\ ^ , , 



Figure 3.1: The core rules of Q 



We extend the notion of equality between terms to encompass also the application of permu- 
tations to nominal constants appearing in them. Specifically, we write B ^ B' to denote the 
fact that there is a permutation tt such that B A-converts to n.B' . Using the observations 
that permutations are invertible and composable and that A-convertibility is an equivalence 
relation, it is easy to see that ~ is also an equivalence relation. 

The rules defining the core of Q are presented in Figure 13. li Sequents in this logic 
have the form S : F — > C where F is a multiset and the signature S contains all the 
free variables of F and C. We use expressions of the form B[t/x] in the quantifier rules 
to denote the result of substituting the term t for x in the formula B. Note that such 
a substitution must be done carefully, making sure to rename bound variables in B to 
avoid capture of variables appearing in t. In the V£ and VTZ rules, a denotes a nominal 
constant of an appropriate type. In the 3C and \/TZ rule we use raising |Mil92j to encode the 
dependency of the quantified variable on the support of B; the expression (h c) in which 
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h is a fresh eigenvariable is used in these two rules to denote the (curried) apphcation of h 
to the constants appearing in the sequence c. The V£ and 3TZ rules make use of judgments 
of the form S,/C,C h t : r. These judgments enforce the requirement that the expression 
t instantiating the quantifier in the rule is a well-formed term of type r constructed from 
the eigenvariables in S and the constants in /C U C. Notice that in contrast the \/TZ and 
3C rules seem to allow for a dependency on only a restricted set of nominal constants. 
However, this asymmetry is not significant: Corollary 14.1.51 in Section [4.11 will tell us that 
the dependency expressed through raising in the latter rules can be extended to any number 
of nominal constants that are not in the relevant support set without affecting the provability 
of sequents. 

Equality modulo A-conversion is built into the rules in Figure 13.11 and also into later 
extensions of this logic, in a fundamental way: in particular, proofs are preserved under 
the replacement of formulas in sequents by ones to which they A-convert. A more involved 
observation is that we can replace a formula i? in a sequent by another formula B' such that 
B ^ B' without affecting the provability of the sequent or even the very structure of the 
proof. For the core logic, this observation follows from the form of the id rule and the fact 
that permutations distribute over logical structure. We shall prove this property explicitly 
for the full logic in Chapter HI 

3.2 Characterizing Occurrences of Nominal Constants 

We are interested in adding to our logic the capability of characterizing occurrences of 
nominal constants within terms and also of analyzing the structure of terms with respect to 
such occurrences. For example, we may want to define a predicate called name that holds of 
a term exactly when that term is a nominal constant. Similarly, we might need to identify a 
binary relation called fresh that holds between two terms just in the case that the first term 
is a nominal constant that does not occur in the second term. Towards supporting such 
possibilities, we define in this section a special binary relation called nominal abstraction and 
then present proof rules that incorporate an understanding of this relation into the logic. A 
formalization of these ideas requires a careful treatment of substitution. In particular, this 
operation must be defined to respect the intended formula-level scope of nominal constants. 
We begin our discussion with an elaboration of this aspect. 

3.2.1 Substitutions and their Interaction with Nominal Constants 

The following definition reiterates a common view of substitutions in logical contexts. 

Definition 3.2.1. A substitution is a type preserving mapping from variables to terms that 
is the identity at all but a finite number of variables. The domain of a substitution is the set 
of variables that are not mapped to themselves and its range is the set of terms resulting from 
applying it to the variables in its domain. We write a substitution as {ti/xi, . . . , 
where list of variables that contains the domain of the substitution and 

ti, . . . ,tn is the value of the map on these variables. The support of a substitution 9, written 
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as supp(^), is the set of nominal constants that appear in the range of 6. The restriction of 
a substitution 9 to the set of variables S, written as 9 ] Ti, is a mapping that is like 9 on 
the variables in S and the identity everywhere else. 

A substitution essentially calls for the replacement of variables by their associated terms 
in any context to which it is applied. A complicating factor in our setting is that nominal 
constants can appear in the terms that are to replace particular variables. A substitution 
may be determined relative to one formula in a sequent but may then have to be applied 
to other formulas in the same sequent. In doing this, we have to take into account the fact 
that the scopes of the implicit quantifiers over nominal constants are restricted to individual 
formulas. Thus, the logically correct application of a substitution should be accompanied 
by a renaming of these constants in the term being substituted into so as to ensure that 
they are not confused with the ones appearing in the range of the substitution. 

Definition 3.2.2. The ordinary application of a substitution 9 to a term B is denoted 
by B[9] and corresponds to the replacement of the variables in B by the terms that 9 
maps them to, making sure, as usual, to avoid accidental binding of the variables appear- 
ing in the range of 9. More precisely, if 9 = {ti/xi, . . . , t„/x„}, then B[9] is the term 
[Xxi . . . Xxn-B) ti . . . tn', this term is, of course, considered to be equal to any other term 
that it \-converts to. By contrast, the nominal capture avoiding application of 9 to B is 
written as and is defined as follows. Assuming that tt is a permutation of nomi- 

nal constants that maps those appearing in supp{B) to ones not appearing in supp(0), let 
B' = TT.B. Then Bpj = B'[9]. 

The notation B [9] generalizes the one used in the quantifier rules in Figure 13.11 The 
definition of the nominal capture avoiding application of a substitution is ambiguous in 
that we do not uniquely specify the permutation to be used. We resolve this ambiguity 
by deeming as acceptable any permutation that avoids conflicts. As a special instance of 
the lemma below, we see that for any given formula B and substitution 9, all the possible 
values for are equivalent modulo the ~ relation. Moreover, as we show in Chapter HJ 
formulas that are equivalent under ~ are interchangeable in the contexts of proofs. 

Lemma 3.2.3. If t Kit' then t[6'] t'pj. 

Proof. Let t be A-convertible to TTi.t', let tJS] = {'iT2.t)[9] where supp(7r2.t) n supp(0) = 0, 
and let t'l9} be A-convertible to {Tr3.t')[9] where supp(7r3.t') n supp(0) = 0. Then we define 
a function vr partially by the following rules: 

1. 7r(c) = 7r2.7ri.7r^^(c) if c G supp(7r3.t') and 

2. 7r(c) = c if c E supp(0). 

Since supp(7r3.t') nsupp(0) = 0, these rules are not contradictory, i.e., this (partial) function 
is well-defined. The range of the first rule is supp(7r2.7ri.7r3^^.7r3.t') = supp(7r2.7ri.t') = 
supp(7r2.t) which is disjoint from the range of the second rule, supp(6'). Since the mapping 



3.2. CHARACTERIZING OCCURRENCES OF NOMINAL CONSTANTS 



26 



in each rule is determined by a permutation, these rules together define a one-to-one partial 
mapping that can be extended to a bijection on C. We take any such extension to be the 
complete definition of tt that must therefore be a permutation. 

To prove that tiej ^ t'ldj it suffices to show that (7r2.t)[6'] is A-convertible to 7r.((7r3.t')[6']). 
We do this by induction on the structure of t' under the further assumption that t A-converts 
to TTi.t'. Suppose t' is an abstraction. Then, it is easy to see that (712. A-converts to 
Ax.((7r2.s)[^]) and 7r.((7r3.t')[^]) A-converts to Aa;.(7r.((7r3.s')[^])) for some choice of variable 
X and terms s and s' such that s' is structurally less complex than t' and s A-convcrts 
to TTi.s'. But then, by the induction hypothesis, (7r2.s)[^] A-converts to Tr.{{TTs-s')[6]) and 
hence {Tr2-t)[9] is A-convertible to 7r.((7r3.i')[6']). A similar and, in fact, simpler argument 
can be provided in the case where t' is an application. If t' is a nominal constant c 
then {7r2-t)[9] must be A-convertible to (7r2.7ri.c)[^] = tt2-iti.c. Also, TT.{{TT3.t')[6]) must 
be A-convertible to tt-tt^.c. Further, in this case the first rule for tt applies which means 
TT.TTs.c = 7r2-7Ti.7r^^ .TT^.c = 'K2-T^i-C. Thus {'K2.t)[9] \s again A-convertible to 7r.((7r3.i')[^]). 
Finally, suppose t' is a variable x. In this case t must be A-convertible to x so that we must 
show x[9\ A-converts to 'k.{x{9\). If x does not have a binding in 9 then both terms are 
equal. Alternatively, if x[9] = s then tt.s = s by the second rule for tt and so the two terms 
are again equal. Thus (7r2.t)[^] A-converts to 'K.{{'K^.t')[9]), as is required. □ 

The nominal capture avoiding application of substitutions turns out to be the dominant 
notion in the analysis of provability. For this reason, when we speak of the application of 
a substitution in an unqualified way, we shall mean the nominal capture avoiding form of 
this notion. 

We shall need to consider the composition of substitutions later in this section. The 
definition of this notion must also pay attention to the presence of nominal constants. 

Definition 3.2.4. Given a substitution 9 and a permutation vr of nominal constants, let Tr.9 
denote the substitution that is obtained by replacing each t/x in 9 with {TT.t)/x. Given any 
two substitutions 9 and p, let9op denote the substitution that is such that B[9op\ = B[9][p\. 
In this context, the nominal capture avoiding composition of 9 and p is written as 9 • p 
and defined as follows. Let tt he a permutation of nominal constants such that supp(7r.0) is 
disjoint from supp(p). Then 9 • p = {tt.9) o p. 

The notation 9 o p in the above definition represents the usual composition of 9 and 
p and can, in fact, be given in an explicit form based on these substitutions. Thus, 9 • p 
can also be presented in an explicit form. Notice that our definition of nominal capture 
avoiding composition is, once again, ambiguous because it does not fix the permutation to 
be used, accepting instead any one that satisfies the constraints. However, as before, this 
ambiguity is harmless. To understand this, we first extend the notion of equivalence under 
permutations to substitutions. 

Definition 3.2.5. Two substitutions 9 and p are considered to be permutation equivalent, 
written 9 p, if and only if there is a permutation of nominal constants n such that 
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6 = TT.p. This notion of equivalence may also be parameterized by a set of variables S as 
follows: 9 ~s P just in the case that | S ~ /o | E. 

It is easy to see that all possible choices for 9 • p are permutation equivalent and that 
if Lfi ~ (p2 then -B|[v9i] ~ -B|(/72] for any term B. Thus, if our focus is on provability, the 
ambiguity in Definition 13.2.41 is inconsequential by a result to be established in Chapter [H 
As a further observation, note that • p] ~ for any B. Hence our notion of 

nominal capture avoiding composition of substitutions is sensible. 

The composition operation can be used to define an ordering relation between substi- 
tutions: 

Definition 3.2.6. Given two substitutions p and 9, we say p is less general than 9, notated 
as p < 9, if and only if there exists a a such that p ~ 9 • a. This relation can also be 
parameterized by a set of variables: p is less general than 9 relative to S, written as p <x; 9, 
if and only ifp]T,<9]'E. 

The notion of generality between substitutions that is based on nominal capture avoiding 
composition has a different flavor from that based on the traditional form of substitution 
composition. For example, if a is a nominal constant, the substitution {a/x} is strictly less 
general than {a/x,y'a/y} relative to S for any S which contains x and y. To see this, note 
that we can compose the latter substitution with {(Xz.y)/y'} to obtain the former, but the 
naive attempt to compose the former with {y'a/y} yields {b/x,y'a/y} where 6 is a nominal 
constant distinct from a. In fact, the "most general" solution relative to S containing {a/x} 
win be {a/x} U {z'a/z \ z G 

3.2.2 Nominal Abstraction 

The nominal abstraction relation allows implicit formula-level bindings represented by nom- 
inal constants to be moved into explicit abstractions over terms. The following notation is 
useful for defining this relationship. 

Notation 3.2.7. Let t be a term, let ci, . . . ,Cn be distinct nominal constants that possibly 
occur in t, and let be distinct variables not occurring in t and such that, for 

i < i < n, yi and Ci have the same type. Then we write Aci . . . Ac„.t to denote the term 
Xyi . . . Xyn-t' where t' is the term obtained from t by replacing Ci by yi for 1 < i < n. 

There is an ambiguity in the notation introduced above in that the choice of variables 
yi, . . . ,y„ is not fixed. However, this ambiguity is harmless: the terms that are produced 
by acceptable choices are all equivalent under a renaming of bound variables. 

Definition 3.2.8. Let n > and let s and t be terms of type ti ^ • • • — > r„ — > r and t, 

respectively; notice, in particular, that s takes n arguments to yield a term of the same type 
as t. Then the expression s >t is a formula that is referred to as a nominal abstraction of 
degree n or simply as a nominal abstraction. The symbol > is used here in an overloaded 
way in that the degree of the nominal abstraction it participates in can vary. The nominal 
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abstraction s>t of degree n is said to hold just in the case that s X-converts to Aci . . .Cn-t 
for some nominal constants ci, . . . , c„. 

Clearly, nominal abstraction of degree is the same as equality between terms based 
on A-conversion, and we will therefore use = to denote this relation in that situation. In 
the more general case, the term on the left of the operator serves as a pattern for isolating 
occurrences of nominal constants. For example, the relation {Xx.x) > t holds exactly when 
i is a nominal constant. 

The symbol > corresponds, at the moment, to a mathematical relation that holds be- 
tween pairs of terms as explicated by Definition I3.2.8[ We now overload this symbol by 
treating it also as a binary predicate symbol of Q. In the next subsection we shall add 
inference rules to make the mathematical understanding of \> coincide with its syntactic 
use as a predicate in sequents. It is, of course, necessary to be able to determine when we 
mean to use > in the mathematical sense and when as a logical symbol. When we write 
an expression such as s\>t without qualification, this should be read as a logical formula 
whereas if we say that "s \> t holds" then we are referring to the abstract relation from 
Definition 13. 2. 8[ We might also sometimes use an expression such as "(s \> t)\6^ holds." In 
this case, we first treat s > t as a formula to which we apply the substitution ^ in a nominal 
capture avoiding way to get a (syntactic) expression of the form s' \>t' . We then read > 
in the mathematical sense, interpreting the overall expression as the assertion that "s' > t' 
holds." Note in this context that s > i constitutes a single formula when read syntactically 
and hence the expression is, in general, not equivalent to the expression 

In the proof-theoretic setting, nominal abstraction will be used with terms that contain 
free occurrences of variables for which substitutions can be made. The following definition 
is relevant to this situation. 

Definition 3.2.9. A substitution is said to be a solution to the nominal abstraction s>t 
just in the case that (s ^ t)l6J holds. 

Solutions to a nominal abstraction can be used to provide rich characterizations of the 
structures of terms. For example, consider the nominal abstraction (Xx. fresh x T) \> S in 
which T and S are variables and fresh is a binary predicate symbol. Any solution to this 
problem requires that S be substituted for by a term of the form fresh a R where a is a 
nominal constant and i? is a term in which a does not appear, i.e., a must be "fresh" to R. 

An important property of solutions to a nominal abstraction is that these are preserved 
under permutations to nominal constants. We establish this fact in the lemma below; this 
lemma will be used later in showing the stability of the provability of sequents with respect 
to the replacement of formulas by ones they are equivalent to modulo the ~ relation. 

Lemma 3.2.10. Suppose (s > t) ~ (s' > t'). Then s ^t and s' > t' have exactly the same 
solutions. In particular, s >t holds if and only if s' > t' holds. 

Proof. We prove the particular result first. It suffices to only show it in the forward direction 
since ~ is symmetric. Let vr be the permutation such that the expression s' > t' A-converts 
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Figure 3.2: Nominal abstraction rules 
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cie] 1 6* G csNAS{j:,s,t)}^ 



e 



^^CSNAS 



S:r,s>t — >C 



Figure 3.3: A variant of >C based on CSNAS 



to TT.{s ^ t). Now suppose s > t holds since s A-converts to Xc.t. Then s' will A-convert 
to X{'7T.c).t' where vr.c is the result of applying vr to each element in the sequence c. Thus 
s' > t' holds. 

For the general result it again suffices to show it in one direction, i.e., that all the 
solutions of s > t are solutions to s' ^t' . Let be a substitution such that (s ^ holds. 
By Lemma 13.2.31 (s t> ~ {s' > Thus by the particular result from the first half 

of this proof, {s' > t') {9} holds. □ 

3.2.3 Proof Rules for Nominal Abstraction 

We now add the left and right introduction rules for > that are shown in Figure 13.21 to link 
its use as a predicate symbol to its mathematical interpretation. The expression in the 
>C rule denotes the application of a substitution 6 = {ti/xi, . . . ,tn/xn} to the signature 
S that is defined to be the signature that results from removing from S the variables 
{xi, . . . , Xn} and then adding every variable that is free in any term in {ti, . . . , tn}- Notice 
also that in the same inference rule the operator |0] is applied to a multiset of formulas in 
the natural way: r|0] = | B G P}. Note that the rule has an a priori unspecified 

number of premises that depends on the number of substitutions that are solutions to the 
relevant nominal abstraction. If s > t expresses an unsatisfiable constraint, meaning that 
it has no solutions, then the premise of is empty and the rule provides an immediate 
proof of its conclusion. 

The and ^TZ rules capture nicely the intended interpretation of nominal abstraction. 
However, there is an obstacle to using the former rule in derivations: this rule has an infinite 
number of premises any time the nominal abstraction s > t has a solution. We can overcome 
this difficulty by describing a rule that includes only a few of these premises but in such way 
that their provability ensures the provability of all the other premises. Since the provability 
of r — > C implies the provability of r|0] — > C|0] for any 6 (a property established 
formally in ChapteiS]), if the first sequent is a premise of an occurrence of the >C rule, 
the second does not need to be used as a premise of that same rule occurrence. Thus, we 
can limit the set of premises to be considered if we can identify with any given nominal 
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abstraction a (possibly finite) set of solutions from which any other solution can be obtained 
through composition with a suitable substitution. The following definition formalizes the 
idea of such a "covering set." 

Definition 3.2.11. A complete set of nominal abstraction solutions (CSNAS) of s and t 
onTi is a set S of substitutions such that 

1. each 6 ^ S is a solution to s>t, and 

2. for every solution p to s>t, there exists a 9 G S such that p <s 9. 

We denote any such set by CSNAS{T,, s,t). 

Using this definition we present an alternative version of in Figure [331 Note that 
if we can find a finite complete set of nominal abstraction solutions then the number of 
premises to this rule will be finite. 

Theorem 3.2.12. The rules and ^^CSNAS '^^^ inter-admissible. 
Proof. Suppose we have the following arbitrary instance of in a derivation: 
{^9 : r[0] — > Cl9j I is a solution to (s > t)}^ 



S:r,s>t — ^C 



This rule can be replaced with a use of ^^QSNAS i'^stead if we could be certain that, for 
each p G CSNAS{T,.,s,t), it is the case that : T\p\ — > C\p\ is included in the set of 
premises of the shown rule instance. But this must be the case: by the definition of CSNAS, 
each such p is a solution to s>t. 

In the other direction, suppose we have the following arbitrary instance of CSNAS' 

{S0 : Tl9j — > Cl9j 1 9 G CSNAS{^, s,t)}^ 



S : r,sc>t — >c 



CSNAS 



To replace this rule with a use of the >C rule instead, we need to be able to construct a 
derivation of T,p : T[p\ — > C\p\ for each p that is a solution to s>t. By the definition of 
CSNAS, we know that for any such p there exists a 9 £ CSNASiJ^, s, t) such that p <s 0, 
i.e., such that there exists a a for which p | E | S) • a. Since we are considering 

the application of these substitutions to a sequent all of whose eigenvariables are contained 
in S, we can drop the restriction on the substitutions and suppose that p ^ 9 • a. Now, 
we shall show in Chapter [J] that if a sequent has a derivation then the result of applying 
a substitution to it in a nominal capture-avoiding way produces a sequent that also has a 
derivation. Using this observation, it follows that T,9a : r|^] [ct] — > C|0]|(t] has a proof. 
But this sequent is permutation equivalent to Sp : r|p] — > C[p] which must, again by a 
result established explicitly in Chapter HI also have a proof. □ 



Theorem 13.2.121 allows us to choose which of the left rules we wish to consider in any 
given context. We shall assume the rule in the formal treatment in the rest of this 
thesis, leaving the use of the ^^CSNAS ^^^^ *° practical applications of the logic. 
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3.2.4 Computing Complete Sets of Nominal Abstraction Solutions 

For the ^CcsNAS rule to be useful, we need an effective way to compute restricted complete 
sets of nominal abstraction solutions. We show here that the task of finding such complete 
sets of solutions can be reduced to that of finding complete sets of unifiers (CSU) for higher- 
order unification problems [HueTS] . In the straightforward approach to finding a solution 
to a nominal abstraction s>t, we would first identify a substitution 6 that we apply to s ^ t 
to get s' ^ t' and we would subsequently look for nominal constants to abstract from t' to 
get s'. To relate this problem to the usual notion of unification, we would like to invert this 
order: in particular, we would like to consider all possible ways of abstracting over nominal 
constants first and only later think of applying substitutions to make the terms equal. The 
difficulty with this second approach is that we do not know which nominal constants might 
appear in t' until after the substitution is applied. However, there is a way around this 
problem. Given the nominal abstraction s > t of degree n, we first consider substitutions 
for the variables occurring in it that introduce n new nominal constants in a completely 
general way. Then we consider all possible ways of abstracting over the nominal constants 
appearing in the altered form of t and, for each of these cases, we look for a complete set 
of unifiers. 

The idea described above is formalized in the following definition and associated theo- 
rem. We use the notation CSU{s,t) in them to denote an arbitrary but fixed selection of a 
complete set of unifiers for the terms s and t. 

Definition 3.2.13. Let s and t he terms of type ti — > . . . ^ t„ — > r and r, respectively. Let 
ci, . . . ,c„ ben distinct nominal constants disjoint from supp(,s>t) such that, for 1 < i <n, 
Ci has the type Ti. Let T, be a set of variables and for each /i € S of type t' , let h' be a distinct 
variable not in S that has type ri ^ . . . — > — r'. Let a = {h' ci ... c^/h | /i- G S} and 
let s' = s[a] and t' = t[a]. Let 

C = [jCSU{Xb.s',Xb.Xa.t') 

a 

where a = oi, . . . , a„ ranges over all selections ofn distinct nominal constants from supp(t)U 
{c} such that, for 1 < i < n, a-i has type ti and b is some corresponding listing of all the 
nominal constants in s' and t' that are not included in a. Then we define 

5(S,s,t) = {a»p\peC} 

The use of the substitution a above represents another instance of the application of the 
general technique of raising that allows certain variables (the h variables in this definition) 
whose substitution instances might depend on certain nominal constants (ci , . . . , c„ here) to 
be replaced by new variables of higher type (the h' variables) whose substitution instances 
are not allowed to depend on those nominal constants. This technique was previously used 
in the 3C and V7^ rules presented in Section 13.11 
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— deiC ^ dei7^ 

S:r,^jt — >C S:r — >pt 



Figure 3.4: Introduction rules for atoms whose predicate is defined as Vif. p x = B p x 

Theorem 3.2.14. 5(S, s, t) is a complete set of nominal abstraction solutions for s\>t on 
E. 

Proof. First note that supp(cj)nsupp(s>t) = and thus is equal to {s'>t'). Now 

we must show that every element of s, t) is a solution to s > t. Let a • p & S{T,, s, t) be 
an arbitrary element where a is as in Definition 13.2.13] p is from CSU{Xb.s' , Xb.Xa.t'), and 
s' = s[a] and t' = t[a]. By the definition of CSU we know {Xb.s' = Xb.Xa.t')[p]. This means 
{s' = Xa.t')lpJ holds and thus (s' > i')H holds. Rewriting s' and t' in terms of s and t this 
means {s > Thus a • p is a solution to s>t. 

In the other direction, we must show that if is a solution to s ^ t then there exists 
a* p € S{T,, s, t) such that 6 <s a* p. Let ^ be a solution to s > t. Then we know {s > 
holds. The substitution 9 may introduce some nominal constants which are abstracted out 
of the right-hand side when determining equality, so let us call these the important nominal 
constants. Let a = {h' ci ... Cn/h [ /i G S} be as in Definition 13.2.13] and let vr' be a 
permutation which maps the important nominal constants of 6 to nominal constants from 
ci , . . . , Cn . This is possible since n nominal constants are abstract from the right-hand side 
and thus there are at most n important nominal constants. Then let 9' = n'.9, so that 
(s > t)l9'J holds and it suffices to show that 0' <2 cr • p. Note that all we have done at 
this point is to rename the important nominal constants of 6 so that they match those 
introduced by a. Now we define p' = {Aci . . . Xcn-r/h' | r//i G 6*'} so that 9' = a • p'. Thus 
(s ^ i)[o"]|/o'] holds. By construction, a shares no nominal constants with s and t, thus 
we know (s' > where s' = s[cj] and t' = t[a]. Also by construction, p' contains no 

interesting nominal constants and thus (s' = Aa.t')!/)] holds for some nominal constants a 
taken from supp(t) U {c}. If we let 5 be a listing of all nominal constants in s' and t' but 
not in a, then {Xb.s' = Xb.Xa.t')lpl holds. At this point the inner equality has no nominal 
constants and thus the substitution p can be applied without renaming: {Xb.s' = Xb.Xa.t') [p'] 
holds. By the definition of CSU, there must be a /) G CSU{Xb.s' , Xb.Xa.t') such that p' < p. 
Thus a • p' <x; a • p as desired. □ 

3.3 Definitions, Induction, and Co-induction 

The sequent calculus rules presented in Figure [XT] treat atomic judgments as fixed, unana- 
lyzed objects. We now add the capability of defining such judgments by means of formulas, 
possibly involving other predicates. In particular, we shall assume that we are given a fixed, 
finite set of clauses of the form Vx. p x = B p x where p is a predicate constant that takes 
a number of arguments equal to the length of x. Such a clause is said to define p and the 
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entire collection of clauses is called a definition. The expression B, called the body of the 
clause, must be a term that does not contain p or any of the variables in x and must have 
a type such that B p x has type o. Definitions are also restricted so that a predicate is 
defined by at most one clause. The intended interpretation of a clause Vx. p x = B p x is 
that the atomic formula p t, where t is a list of terms of the same length and type as the 
variables in x, is true if and only B p t is true. This interpretation is realized by adding 
to the calculus the rules defC and defJZ shown in Figure 13.41 for unfolding predicates on the 
left and the right of sequents using their defining clauses. 

A definition can have a recursive structure. For example, in the clause Vx. p x = B p x, 
the predicate p can appear free m B p x. In this setting, the meanings of predicates are 
intended to be given by any one of the fixed points that can be associated with the defi- 
nition. Such an interpretation may not always be sensible. In particular, without further 
restrictions, the resulting proof system may not be consistent. There are two constraints 
that suffice to ensure consistency. First, the body of a clause must not contain any nominal 
constants. This restriction can be justified from another perspective as well: as we see in 
Chapter [H it helps in establishing that ~ is a provability preserving equivalence between 
formulas. Second, definitions should be stratified so that clauses, such as a = (a D -L), in 
which a predicate has a negative dependency on itself, are forbidden. While such strati- 
fication can be enforced in different ways, we use a simple approach to doing this in this 
thesis. This approach is based on associating with each predicate p a natural number that 
is called its level and that is denoted by Ivl(p). This measure is then extended to arbitrary 
formulas by the following definition. 

Definition 3.3.1. Given an assignment of levels to predicates, the function Ivl is extended 
to all formulas in X-normal form as follows: 

1. \v\(p t) = Ivl(p) 

2. Ivl(l) = Ivl(T) = lvl(s >t) = 

3. \y\{B AC) = IyI{B V C) = max(lvl(B), Ivl(C)) 
I M{B dC) = max(lvl(5) + l,lvl(C)) 

5. Ivl(Vx.S) = Ivl(Vx.S) = lvl{3x.B) = M{B) 
In general, the level of a formula B, written as lvl(i?), is the level of its X-normal form. 

A definition is stratified if we can assign levels to predicates in such a way that lvl(i? p x) < 
Ivl(p) for each clause Vx. p x = B p x in that definition. 

The defC and defJZ rules do not discriminate between any of the fixed points of a 
definition. We now allow the selection of least and greatest fixed points so as to support 
inductive and co-inductive definitions of predicates. Specifically, we denote an inductive 
clause by Vx. p x = B p x and a co-inductive one by Vx. p x = B p x. As a refinement of 
the earlier restriction on definitions, a predicate may have at most one defining clause that 
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X : B S X — > S X T, : T, S t — > C 

■ IC 

E:T,pt — >C 

provided p is defined as Vx. p x = B p x and S" is a term that has the same type as p 

X] '. r ^ St X '. S X ^ B S X ^^"^ 
s : r — >pt 

provided p is defined as Vx. p x = B p x and is a term that has the same type as p 



Figure 3.5: The induction left and co-induction right rules 

is designated to be inductive, co-inductive or neither. The defC and defJZ rules may be 
used with clauses in any one of these forms. Clauses that are inductive admit additionally 
the left rule IC shown in Figure 13.51 This rule is based on the observation that the least 
fixed point of a monotone operator is the intersection of all its pre-fixed points; intuitively, 
anything that follows from any pre-fixed point should then also follow from the least fixed 
point. In a proof search setting, the term corresponding to the schema variable S in this 
rule functions like the induction hypothesis and is accordingly called the invariant of the 
induction. Clauses that are co-inductive, on the other hand, admit the right rule CITZ 
also presented in Figure 13.51 This rule reflects the fact that the greatest fixed point of a 
monotone operator is the union of all the post-fixed points; any member of such a post-fixed 
point must therefore also be a member of the greatest fixed point. The substitution that is 
used for S in this rule is called the co-invariant or the simulation of the co-induction. Just 
like the restriction on the body of clauses, in both IC and CZTZ, the (co-) invariant S must 
not contain any nominal constants. 

As a simple illustration of the use of these rules, consider the clause p = p. The desired 
inductive reading of this clause implies that p must be false. In a proof-theoretic setting, 
we would therefore expect that the sequent • : p — > _L can be proved. This can, in fact, be 
done by using 2C with the invariant S = -L. On the other hand, consider the clause q = q. 
The co-inductive reading intended here implies that q must be true. The logic Q satisfies 
this expectation: the sequent • : • — > q can be proved using CITZ with the co-invariant 
S = T. 

The addition of inductive and co-inductive forms of clauses and the mixing of these 
forms in one setting might be expected to require stronger conditions than those described 
earlier in this section to guarantee consistency. One condition, in addition to the absence 
of nominal constants in the bodies of clauses and stratification based on levels, that suffices 
and that is also practically acceptable is the following that is taken from |TM09| : in a 
clause of any of the forms Vx. p x = B p x, Mx. p x = B p x ox Vx. p x = B p x, it must 
be that lvl{B (Ax.T) x) < Ivl(p). This disallows any mutual recursion between clauses, a 
restriction which can easily be overcome by merging mutually recursive clauses into a single 
clause. We henceforth assume that all definitions satisfy all three conditions described for 
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them in this section. Corohary 14.1.71 in Chapter d] estabhshes the consistency of the logic 
under these restrictions. 

3.4 A Pattern-Based Form for Definitions 

When presenting a definition for a predicate, it is often convenient to write this as a col- 
lection of clauses whose applicability is also constrained by patterns appearing in the head. 
For example, in logics that support equality but not nominal abstraction, list membership 
may be defined by the two pattern based clauses shown below. 

member X {X :: L) = T member X {Y :: L) = member X L 

These logics also include rules for directly treating definitions presented in this way. In 
understanding these rules, use may be made of the translation of the extended form of 
definitions to a version that does not use patterns in the head and in which there is at most 
one clause for each predicate. For example, the definition of the list membership predicate 
would be translated to the following form: 

member X K = (3L. K = {X :: L)) V K = {Y :: L) A member X L) 

The treatment of patterns and multiple clauses can now be understood in terms of the rules 
for definitions using a single clause and the rules for equality, disjunction, and existential 
quantification. 

In the logic Q, the notion of equality has been generalized to that of nominal abstrac- 
tion. This allows us also to expand the pattern-based form of definitions to use nominal 
abstraction in determining the selection of clauses. By doing this, we would allow the head 
of a clausal definition to describe not only the term structure of the arguments, but also 
to place restrictions on the occurrences of nominal constants in these arguments. For ex- 
ample, suppose we want to describe the contexts in typing judgments by lists of the form 
ofci Ti :: ofc2 T2 :: ... :: nil with the further proviso that each q is a distinct nominal con- 
stant. We will allow this to be done by using the following pattern-based form of definition 
for the predicate ctx : 

ctx nil = T (Vx.ctx (of x T :: L)) = ctx L 

Intuitively, the V quantifier in the head of the second clause imposes the requirement that, 
to match it, the argument of ctx should have the form of x T :: L where x is a nominal 
constant that does not occur in either T or L. To understand this interpretation, we could 
think of the earlier definition of ctx as corresponding to the following one that does not use 
patterns or multiple clauses: 

ctx K = {K = nil) V {3T3L. {Xx.ofx T :: L) \> K A ctx L) 

Our objective in the rest of this section is to develop machinery for allowing the extended 
form of definitions to be used directly. We do this by presenting its syntax formally, by 
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s : r — > (Bpxm 

^ P ' J' ' defRP 

n : i — > p s 

for any clause '^x.iVz.p t) = B p x \nV and any 9 such that range{6) fl S = and 

{Xz.p i) [6]>p s holds 



w-.TieiiBpxm^cm 



Vx.(Vi*.p i) = B p X T> and 
is a solution to {{Xz.p 1^ >p s) 



s : r 



,p s 



c 



defCP 



Figure 3.6: Introduction rules for a pattern-based definition V 



describing rules that allow us to work off of such definitions and, finally, by justifying the 
new rules by means of a translation of the kind indicated above. 

Definition 3.4.1. A pattern-based definition is a finite collection of clauses of the form 

\/x.{\/z.p t) = B p X 

where t is a sequence of terms that do not have occurrences of nominal constants in them, 
p is a constant such that p t is of type o and B is a term devoid of occurrences of p, x and 
nominal constants and such that B p t is of type a. Further, we expect such a collection 
of clauses to satisfy a stratification condition: there must exist an assignment of levels 
to predicate symbols such that for any clause Vx.(Vz.p t) = B p x occurring in the set, 
assuming p has arity n, it is the case that \y\{B (Ax.T) x) < Ivl(p). Notice that we allow 
the collection to contain more than one clause for any given predicate symbol. 

The logical rules for treating pattern-based definitions are presented in Figure [3T6l These 
rules encode the idea of matching an instance of a predicate with the head of a particular 
clause and then replacing the predicate with the corresponding clause body. The kind 
of matching involved is made precise through the construction of a nominal abstraction 
after replacing the V quantifiers in the head of the clause by abstractions. The right rule 
embodies the fact that it is enough if an instance of any one clause can be used in this way 
to yield a successful proof. In this rule, the substitution 9 that results from the matching 
must be applied in a nominal capture avoiding way to the body. However, since B does 
not contain nominal constants, the ordinary application of the substitution also suffices. To 
accord with the treatment in the right rule, the left rule must consider all possible ways in 
which an instance of an atomic assumption p s can be matched by a clause and must show 
that a proof can be constructed in each such case. 

The soundness of these rules is the content of the following theorem whose proof also 
makes explicit the intended interpretation of the pattern-based form of definitions. 
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Theorem 3.4.2. The pattern-based form of definitions and the associated proof rules do 
not add any new power to the logic. In particular, the defC^ and defR^ rules are admissible 
under the intended interpretation via translation of the pattern-based form of definitions. 

Proof. Let p be a predicate whose clauses in the definition being considered are given by 
the foUowing set of clauses. 

{VXj. {VZi.p ti) = BiP Xi}i^i,.n 

Let p' be a new constant symbol with the same argument types as p. Then the intended 
interpretation of the definition of p in a setting that does not allow the use of patterns in 
the head and that limits the number of clauses defining a predicate to one is given by the 
clause 

Vy.p y = V 3xi.{{Xzi.p' ti) >p' y) ABip Xi 

i6l..n 

in which the variables y are chosen such that they do not appear in the terms for 1 < i < n. 
Note also that we are using the term constructor p' here so as to be able to match the entire 
head of a clause at once, thus ensuring that the V-bound variables in the head are assigned 
a consistent value for all arguments of the predicate. 

Based on this translation, we can replace an instance of defRP, 

r — > (BipxAie] 

^ ^ defRP 



i — > p s 

with the following sequence of rules, where a double inference line indicates that a rule is 
used multiple times. 



r {Xz,.p' tj) [9] \>p's r ^ {Bj p f,) [0] 
r {{\z,.p' ti)[e] >p' s)A (B, p x,)[9] ^ 

r — > 3xi.{{Xzi.p' ti) >p' s) ABi p Xi 

r — ' Viei n ^Xi.{{Xzi.p' ti) >p' s)ABip Xi 
defJZ 

r — yp't 

Note that we have made use of the fact that 6 instantiates only the variables Xi and thus 
has no cff'cct on s. Further, the side condition associated with the defRP rule ensures that 
the >7l rule that appears as a left leaf in this derivation is well applied. 
Similarly, we can replace an instance of de£C^, 

(Sg : Fjei {Bj p Xi)iej cm I is a solution to {{Xz.p ti) > p ^},^^^^^ 

E : T,ps — >~C ^^^^^ 
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with the following sequence of rules 

' { rpj, {Bi p fi)I^l — > Cie} I ^ is a solution to {{Xz.p' U) >p' s)} 



r, {Xzj.p' tj) >p' s,Bipxi — >C 
r, {{Xzj.p' tj) >p' s)AB,pxi — >C 
r, 3xi.{{Xzi.p' ti) >p' s)AB^px^ — >C 



AC* 



3C 



jGl..n 



r, Vigi..„ 3xi.{{Xzi.p' ti) \>p' s)ABip 



c 



T,p s 



C 



defC 



Here AC* is an application of cC followed by ACi and AC2 on the contracted formula. It is 
easy to see that the solutions to {Xz.p ti)\>ps and [Xz.p' ti) \>p's are identical and hence 
the leaf sequents in this partial derivation are exactly the same as the upper sequents of 
the instance of the defC^ rule being considered. □ 

A weak form of a converse to the above theorem also holds. Suppose that the predicate 
p is given by the following clauses 

{VXi. {VZi.p ti) = Bi p Xi}i(zi,,n 

in a setting that uses pattern-based definitions and that has the defC^ and deflZ^ but not 
the defC and defJZ rules. In such a logic, it is easy to see that the following is provable: 



py = \/ 3xi.{{Xzi.p' ti) >p' y) ABip Xi 



Where B = C denotes {B D C) A (C D B). Thus, in the presence of cut, the defC 
and defJZ rules can be treated as derived ones relative to the translation interpretation of 
pattern-based definitions. 

We would like also to allow patterns to be used in the heads of clauses when writing 
definitions that are intended to pick out the least and greatest fixed points, respectively. 
Towards this end we admit in a definition also clauses of the form \/x.{Vz.p i) = B p x and 
\lx.{Vz.p t) = B p X with the earlier provisos on the form of B and t and the types of B 
and p and with the additional requirement that all the clauses for any given predicate are 
un-annotated or annotated uniformly with either or u. Further, a definition must satisfy 
stratification conditions as before. In reasoning about the least or greatest fixed point forms 
of definitions, we may use the translation into the earlier, non-pattern form together with 
the rules XC and CZTZ. It is possible to formulate an induction rule that works directly from 
pattern-based definitions using the idea that to show S to be an induction invariant for the 
predicate p, one must show that every clause of p preserves S. A rule that is based on this 
intuition is presented in Figure 13.71 The soundness of this rule is shown in the following 
theorem. 
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{xi : Bi S Xi — > Vzi.S ti}.^-^^ ^ E : r, 5 s — ^ C 

E : r,p s — y'C "^^^ 

assuming p is defined by the set of clauses {^Xi.CVzi.p U) = Bi p Xi}iei..n 
Figure 3.7: Induction rule for pattern-based definitions 

Theorem 3.4.3. TheTD' rule is admissible under the intended translation of pattern-based 
definitions. 

Proof. Let the clauses for p in the pattern-based definition be given by the set 

{yXi.{VZi.p U) = Bi p Xi}i^i„n 

in which case the translated form of the definition for p would be 

\/y.p y=\/ 3xi.{{Xzi.p' U) >p' y) ABip Xj. 

j€l..n 

In this context, the rightmost upper sequents of the IjOP and the I£ rules that are needed 
to derive a sequent of the form E : r,jo s — > C are identical. Thus, to show that rule 
is admissible, it suffices to show that the left upper sequent in the IC rule can be derived 
in the original calculus from all but the rightmost upper sequent in an TO' rule. Towards 
this end, we observe that we can construct the following derivation: 

' { {y, Xi)e : {B, p XiM (S yM | is a solution to {{Xz.p' U) \>p' y)] 



y, Xj : (Xzi.p' tj) >p' y,Bi S Xj — > 5 y 

y. X, : ( ( A-r,.// Ti) \> p' ii) A D; p .V; S' y 

!j : d.r,.((A-.,.;/ /,) > p' fj) A B, S .r, • S ij 



iel..n 

— V£ 



y ■ VieL.n ^Xi.{{Xzi.p' ti) >p' y) ABi S Xi — > S y 

Since the variables y are distinct and do not occur in ti, the solutions to {Xz.p' ti) >p' y 

have a simple form. In particular, let be the result of replacing in tj the variables z with 
distinct nominal constants. Then y = 'P- will be a most general solution to the nominal 
abstraction. Thus the upper sequents of the invariant derivation above will be 

Xi : Bi p Xi > S ti 

which are derivable if and only if the sequents 

Xi-.Bip Xi — > Vzi.S ti 

are derivable. □ 

We do not introduce a co-induction rule for pattern-based definitions largely because 
it seems that there are few interesting co-inductive definitions that require patterns and 
multiple clauses. 
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3.5 Examples 

We now provide some examples to illuminate the properties of nominal abstraction and its 
usefulness in both specification and reasoning tasks; while Q has many more features, their 
characteristics and applications have been exposed in other work {e.g., see |MM021 |MT03bl 
ITiu04l ITM08] ). In the examples that are shown, use will be made of the pattern-based 
form of definitions described in Section 13.41 We will also use the convention that tokens 
given by capital letters denote variables that are implicitly universally quantified over the 
entire clause. 

3.5.1 Properties of V and Freshness 

We can use nominal abstraction to gain a better insight into the behavior of the V quantifier. 
Towards this end, let the fresh predicate be defined by the following clause. 

{Vx. fresh x E) = T 

We have elided the type of fresh here; it will have to be defined at each type that it is 
needed in the examples we consider below. Alternatively, we can "inline" the definition 
by using nominal abstraction directly, i.e., by replacing occurrences of of fresh ti t2 with 
3E.{Xx.{x, E) > (^1,^2)) for a suitably typed pairing construct (•, •). 

Now let -B be a formula whose free variables are among z,xi, . . . ,Xn, and let x = xi :: 
... Xn ■'. nil where :: and nil are constructors in the logicH Then the following formulas 
logically imply one another in Q. 

Wz.B 3z. {fresh z x A B) ^z. {fresh z x D B) 

Note that the type of z allows it to be an arbitrary term in the last two formulas, but its 
occurrence as the first argument of fresh will restrict it to being a nominal constant (even 
when X = nil). 

In the original presentation of the V quantifier [MTOSaj . it was shown that one can 
move a V quantifier inwards over universal and existential quantifiers by using raising to 
encode an explicit dependency. To illustrate this, let i? be a formula with two variables 
abstracted out, and let C = D be shorthand for (C D D) A {D D C). The the following 
formulas are provable in the logic. 

Vz.'ix.{B z x)= \/h.Vz.{B z {h z)) Vz.3x.{B z x) = 3h.Vz.{B z {h z)) 

In order to move a V quantifier outwards over universal and existential quantifiers, one 
would need a way to make non-dependency {i.e., freshness) explicit. This is now possible 

^ We are, once again, finessing typing issues here in that the Xi variables may not all be of the same type. 
However, this problem can be solved by surrounding each of them with a constructor that yields a term 
with a uniform type. 
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using nominal abstraction as shown by the following equivalences. 

\/x.Vz.{B z x) = V z.Mx. [fresh z x D B z x) ^x.V z.{B z x) = \/z.3x. (fresh z x A B z x) 

Finally, we note that the two sets of equivalences for moving the V quantifier interact nicely. 
Specifically, starting with a formula like 'Vz.\/x.{B z x) we can push the V quantifier inwards 
and then outwards to obtain V z.\/h.{fresh z (h z) D B z (h z)). Here fresh z (h z) will only 
be satisfied if h projects away its first argument, as expected. 

3.5.2 Polymorphic Type Generalization 

In addition to reasoning, nominal abstraction can also be useful in providing declarative 
specifications of computations. We consider the context of a type inference algorithm that 
is also discussed in [CUOS] to illustrate such an application. In this setting, we might need 
a predicate spec that relates a polymorphic type o", a list of distinct variables list of distinct 
variables a (represented by nominal constants) and a monomorphic type r just in the case 
that a = Md.T. Using nominal abstraction, we can define this predicate as follows. 

spec [monoTy T) nil T = T 
(Vx.spec (polyTyP) (x :: L) (T x)) = Vx .spec (P x) L {T x). 

Note that we use V in the head of the second clause to associate the variable x at the head 
of the list L with its occurrences in the type (T x). We then use V in the body of this 
clause to allow for the recursive use of spec. 

3.5.3 Arbitrarily Cascading Substitutions 

Many reducibility arguments, such as Tait's proof of normalization for the simply typed 
A-calculus |Tai67| . are based on judgments over closed terms. During reasoning, however, 
one has often to work with open terms. To accommodate this requirement, the closed 
term judgment is extended to open terms by considering all possible closed instantiations 
of the open terms. When reasoning with Q, open terms are denoted by terms with nominal 
constants representing free variables. The general form of an open term is thus M ci ■ ■ ■ Cn, 
and we want to consider all possible instantiations M Vi ■ ■ ■ Vn where the Vi are closed 
terms. This type of arbitrary cascading substitutions is difficult to realize in reasoning 
systems where variables are given a simple type since M would have an arbitrary number 
of abstractions but the type of M would a priori fix that number of abstractions. 

We can define arbitrary cascading substitutions in Q using nominal abstraction. In 
particular, we can define a predicate which holds on a list of pairs (cj, Vi), a term with the 
form M ci • • • c„ and a term of the form M Vi ■ ■ ■ V^. The idea is to iterate over the list 
of pairs and for each pair (c, V) use nominal abstraction to abstract c out of the first term 
and then substitute V before continuing. The following definition of the predicate subst is 
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based on this idea. 

subst nil T T = T 
{Vx.subst {{x, V) :: L) (T x) S) = subst L {T V) S 

Given the definition of subst one may then show that arbitrary cascading substitutions 
have many of the same properties as normal higher-order substitutions. For instance, in 
the domain of the untyped A-calculus, we can show that subst acts compositionally via the 
following lemmas. 

V£, t, r, s. subst i {app t r) .s D 3u, v.{s = app u v A subst i t u A subst i r v) 
yi, t, r. subst i {abs t) r D 3s. {r = abs s A Vz. subst £ {t z) {s z)) 

Both of these lemmas have straightforward proofs by induction on subst. 

We use this technique for describing arbitrary cascading substitutions again in Sec- 
tion l7.5l to formalize Girard's strong normalization argument for the simply-typed A-calculus. 



Chapter 4 



Some Properties of the Meta-logic 

In this chapter we study some of the meta-theory of Q. There are two parts to our discussion. 
In the first part of the chapter, we prove various properties of the logic which show that 
the logic is weh-designed and which are also useful when working within the logic. Most 
significantly, we prove the cut-elimination property for Q and then use this to establish the 
consistency of the logic. In the second part of the chapter we look at the question of how 
we can formally relate an object system to a potential encoding of it in Q. The naturalness 
of such a relationship is a strong recommendation for the meta-logic: it is ultimately this 
correspondence that allows us to use G in establishing properties of an object system. 
Showing this type of relationship depends crucially on the earlier cut-elimination result 
which further justifies the emphasis we place on it. 

4.1 Consistency of the Meta-logic 

The logic Q, whose proof rules consist of the ones Figures 13. H 13.21 13.41 and 13.51 combines 
and extends the features in several logics such as FO\^^ [MMOO], FOX'^^ [MT05], LG^ 
|Tiu08| and Line" [TM09] . The relationship to Line" is of special interest to us below: 
Q is a conservative extension to this logic that is obtained by adding a treatment of the 
V quantifier and the associated nominal constants and by generalizing the proof rules 
pertaining to equality to ones dealing with nominal abstraction. This correspondence will 
allow the proof of the critical meta-theoretic property of cut-elimination for Linc^ to be 
lifted to Q. 

We shall actually establish three main properties of Q in this section. First, we shall 
show that the provability of a sequent is unaffected by the application of permutations of 
nominal constants to formulas in the sequent. This property consolidates our understanding 
that nominal constants are quantified implicitly at the formula level; such quantification 
also renders irrelevant the particular names chosen for such constants. Second, we show 
that the application of substitution in a nominal capture-avoiding way preserves provability; 
by contrast, ordinary application of substitution does not have this property. Finally, we 
show that the cut rule can be dispensed with from the logic without changing the set of 
provable sequents. This implies that the left and right rules of the logic are balanced and 
moreover, that the logic is consistent. This is the main result of this section and its proof 
uses the earlier two results together with the argument for cut-elimination for Linc^. 

Several of our arguments will be based on induction on the heights of proofs. This 
measure is defined formally below. Notice that the height of a proof can be an infinite 
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ordinal because the >C rule can have an infinite number of premises. Thus, we will be 
using a transfinite form of induction. 

Definition 4.1.1. The height of a derivation U, denoted by ht(n), is 1 ifH has no premise 
derivations and is the least upper bound o/{ht(nj) + Ijjgj ifH has the premise derivations 
{Iljjjgj where I is some index set. 

Many proof systems, such as Line", include a weakening rule that allows formulas to 
be dropped (reading proofs bottom-up) from the left-hand sides of sequents. While G does 
not include such a rule directly, its effect is captured in a strong sense as we show in the 
lemma below. Two proofs are to be understood here and elsewhere as having the same 
structure if they are isomorphic as trees, if the same rules appear at corresponding places 
within them and if these rules pertain to formulas that can be obtained one from the other 
via a renaming of eigenvariables and nominal constants. 

Lemma 4.1.2. Let U be a proof o/S : T — > B and let IS. be a multiset of formulas whose 
eigenvariables are contained in S. Then there exists a proof of Tj : A,r — > B which has 
the same structure as H. In particular ht(n) = ht(n') and H and H' end with the same 
rule application. 

Proof. The lemma can be proved by an easy induction on ht(n). We omit the details. □ 

The following lemma shows a strong form of the preservation of provability under per- 
mutations of nominal constants appearing in formulas, the first of our mentioned results. 

Lemma 4.1.3. Let H be a proof of T, : Bi, . . . ,Bn — >■ -Bo cind let Bi ~ B'- for i € 
{0, 1, . . . , n}. Then there exists a proof 11' o/ S : B[, . . . , B'^ — > B'q which has the same 
structure as H. In particular ht(n) = ht(n') and H and H' end with the same rule applica- 
tion. 

Proof. The proof is by induction on ht(n) and proceeds specifically by considering the last 
rule used in 11. When this is a left rule, we shall assume without loss of generality that it 
operates on Bn. 

The argument is easy to provide when the last rule in 11 is one of _L£ or TTZ. If this 
rule is an id, i.e., if 11 is of the form 

Bj ^ Bq 

id 



T, : Bi, . . . , Bn — > Bq 



then, since ~ is an equivalence relation, it must be the case that B'^ ~ B'q. Thus, we can 
let n' be the derivation 

B'^ - B'q 

id 



T, : B[,. . . ,B'^ — > B'q 



If the last rule is a applied to a nominal abstraction s > t that has no solutions, then, 
by Lemma 13.2.101 the sequent S : B'^, . . . B'^ — > B'q also has a nominal abstraction with 
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no solutions. Thus, 11' can be a derivation consisting of the single rule Lemma 13.2.101 
similarly provides the key observation when the last rule in 11 is an >TZ. 

All the remaining cases correspond to derivations of height greater than 1. We shall 
show that the last rule in 11 in all these cases could also have S : B[, . . . , B'^ — > B'q as a 
conclusion with the premises in this application of the rule being related via permutations 
in the way required by the lemma to the premises of the rule application in 11. The lemma 
then follows from the induction hypothesis. 

In the case when the last rule in 11 pertains to a binary connective — i.e., when the rule 
is one of \/C, VIZ, AC, ATZ, D C ot dTZ — the desired conclusion follows naturally from the 
observation that permutations distribute over the connective. The proof can be similarly 
completed when a 3£, 3TZ, MC or MTZ rule ends the derivation, once we have noted that 
the application of permutations can be moved under the 3 and V quantifiers. For the cut 
and cC rules, we have to show that permutations can be extended to include the newly 
introduced formula in the upper sequent (s). This is easy: for the cut rule we use the 
identity permutation and for cC we replicate the permutation used to obtain B'^ from Bn- 

The two remaining rules from the core logic are V£ and V7^. The argument in these 
cases are similar and we consider only the later in detail. In this case, the last rule in 11 is 
of the form 



Bi,...,Bn — > Vx.C 



V7^ 



where a ^ supp(C). Obviously, B'q = Vx.C for some C such that C ^ C Let d be a 
nominal constant such that d ^ supp(C) and d ^ supp(C"). Such a constant must exist 
since both sets are finite. Then C[a/x] ~ C[d/x] ~ C'[d/x]. Thus the following 

S : — > C'[d/x] 

— VTZ 

J::B{,...,B'^^Vx.C' ^'^ 

is also an instance of the VTZ rule and its upper sequent has the form desired. 

The only case that remains to be treated when the last rule applies to a nominal ab- 
straction is that of I>£ that has at least one upper sequent. In this case the rule has the 
structure 

{^e : Biiej, . . . , Bn-i {ej — > Bq {9} | is a solution to s>t} 

J:-. Bi,...,s>t — > Bo - 

Here we know that B'j^ is a nominal abstraction s' that, by Lemma [3.2.101 has the same 
solutions as s >t. Further, by Lemma 13.2.31 ~ B'-fOJ for any substitution 6. Thus 

{^e : B[ie}, . . . , — > B'qIO} \ Oisa solution to s' > t'} 
B[,...,s'>t' — > B'q 

is also an instance of the >£ rule and its upper sequents have the required property. 

The arguments for the rules defC and defJZ are similar and we therefore only consider 
the case for the former rule in detail. Here, i?„ must be of the form p t where p is a predicate 
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symbol and the upper sequent must be identical to the lower one except for the fact that 
Bn is replaced by a formula of the form B p t where B contains no nominal constants. 
Further, i?^ is of the form p s where p t ^ p s. From this it follows that B p t ^ B p s and 
hence that S : B[, . . . , B'^ — > B'q can be the lower sequent of a rule whose upper sequent 
is related in the desired way via permutations to the upper sequent of the last rule in 11. 

The only remaining rules to consider are 2C and CZIZ. Once again, the arguments in 
these cases are similar and we therefore consider only the case for IC in detail. Here, 11 
ends with a rule of the form 

X : B S X — > S X : Bi, . . . , S t — > Bq 

■ XL 

T, : Bi, . . . ,pt — > Bq 

where p is a predicate symbol defined by a clause of the form Vx. p x = B p x and S 
contains no nominal constants. Now, i?^ must be of the form p f where p t ^ p f. Noting 
the proviso on 5, it follows that S t ^ S f. But then the following 

x:BSx — >Sx ^:B[,...,Sf — > B'q 



^:B[,...,pr^B'Q 



IC 



is also an instance of the ZC rule and its upper sequents are related in the manner needed 
to those of the IC rule used in IT. □ 

Several rules in Q require the selection of new eigenvariables and nominal constants. 
Lemma 14.1.31 shows that we obtain what is essentially the same proof regardless of how 
we choose nominal constants in such rules so long as the local non-occurrence conditions 
are satisfied. A similar observation with regard to the choice of eigenvariables is also 
easily verified. We shall therefore identify below proofs that differ only in the choices of 
eigenvariables and nominal constants. 

We now turn to the second of our desired results, the preservation of provability under 
substitutions. 

Lemma 4.1.4. Let H be a proof o/ S : F — > C and let 6 he a substitution. Then there is 
a proof n' of S6I : F|6l] — > C[6l] such that ht(n') < ht(n). 

Proof. We show how to transform the proof 11 into a proof 11' for the modified sequent. 
The transformation is by recursion on ht(n), the critical part of it being a consideration 
of the last rule in 11. The transformation is, in fact, straightforward in all cases other that 
when this rule is V7?., 3>C, 37^, V£, ZC and CZTZ. In these cases, we simply apply 
the substitution in a nominal capture avoiding way to the lower and any possible upper 
sequents of the rule. It is easy to see that the resulting structure is still an instance of 
the same rule and its upper sequents are guaranteed to have proofs (of suitable heights) by 
induction. 

Suppose that the last rule in 11 is an i.e., it is of the form 
{Hp : T\p\ — > C\p\ I /7 is a solution to s > 



S:F,s>t — >C 



>C 
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Then the following 

{E(e • p') : Tie • p'j — > Cp • p'j I />' is a solution to (s > t)l9j} 



is also an >£ rule. Noting that if p' is a solution to (s > then • p' is a solution to 

s>t, we see that the upper sequents of this rule are contained in the upper sequents of the 
rule in 11. It follows that we can construct a proof of the lower sequent whose height is less 
than or equal to that of 11. 

The argument is similar in the cases when the last rule in IT is a WTZ or a 3£, so we 
consider only the former in detail. In this case the rule has the form 

: r — > B[h c/x] 



S : r — > \/x.B 



V7^ 



where {c} = supp(Vx.i?). Let {a} = supp((Vx.i?)|^]). Further, let h' be a new variable 
name. We assume without loss of generality that neither h nor h' appear in the domain or 
range of 9. Letting p = 9U {Xc.h' a/h}, consider the structure 

i^,h)p:Tlpj^B[hc/x]lpj 
W.rl9}^{yx.B)l9} 

The upper sequent here is equivalent under A-conversion to T,9, h' : r|6'] — > {Bl9})[h' a/x] 
so this structure is, in fact, also an instance of the V7^ rule. Moreover, its upper sequent is 
obtained via substitution from the upper sequent of the rule in 11. The lemma then follows 
by induction. 

The arguments for the cases when the last rule is an 3TZ or an V£ are similar and so we 
provide it explicitly only for the former. In this case, we have the rule 

S,/C,Ch/:r E:r — >D[l/x] 



E : r — > BrX.B 



37^ 



ending 11. Assuming that the substitution uses the permutation tt to avoid the 

capture of nominal constants, consider the structure 

S,/C,Ch^.t:r ^9:ri9j — > Bl9}[Tr.t/x] 



^9:ri9j^i3rX.Bm 

This is also obviously an instance of the 3TZ rule and its right upper sequent is related 
via substitution to that of the rule in 11. The lemma follows from these observations by 
induction. 

The only remaining cases for the last rule are XC and CITZ. The arguments in these 
cases are, yet again, similar and it suffices to make only the former explicit. In this case, 
the end of 11 has the form 

X : B S X — > S X S : r, 5 t — ^ C 

IC 

E : r,pf — > C 
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But then the following 

x:BSx — >Sx W ■.Tl9j,{S i)iej — > 

is also an instance of the IC rule. Moreover, the same proof as in IT can be used for the left 
upper sequent and the right upper sequent has the requisite form for using the induction 
hypothesis. □ 



The proof of Lemma 14.1.41 effectively defines a transformation of a derivation 11 based 
on a substitution 9. We shall use the notation n|0] to denote the transformed derivation. 
Note that ht(n|^]) can be less than ht(n). This may happen because the transformed 
version of a >C rule can have fewer upper sequents. 

Corollary 4.1.5. The following rules are admissible. 

S,/i:r — >B\ha/x] T,,h :T,B\h a/x] — >C 

Sir — >\lx.B ^'^ T,:T,3x.B — >C ^ 

where h ^Ti and a is any listing of distinct nominal constants which contains supp(i?) . 

Proof. Let 11 be a derivation for F — > B[h a/x], let h' be a variable that does not appear 
in n, and let {c} = supp(i?). By Lemma [4.1.41 n|Aa./i' c/hj is a valid derivation. Since a 
contains c, no nominal constants appear in the substitution {Xa.h' c/h}. It can now be seen 
that the last sequent in n[Aa./i' c/hJ has the form S, /i' : T' — > B' where B' ~ B[h' c/Zi] 
and r' results from replacing some of the formulas in F by ones that they are equivalent to 
under But then, by Lemma [4. 1.31 there must be a derivation for S, /i' : F — > B[h' c/h]. 
Using a \/TZ rule below this we get a derivation for S : F — > \/x.B, verifying the admissibility 
of V7^*. The argument for 3C* is analogous. □ 



We now turn to the main result of this section, the redundancy from a provability 
perspective of the cut rule in Q. The usual approach to proving such a property is to define 
a set of transformations called cut reductions on derivations that leave the end sequent 
unchanged but that have the effect of pushing occurrences of cut up the proof tree to the 
leaves where they can be immediately eliminated. The difficult part of such a proof is 
showing that these cut reductions always terminate. In simpler sequent calculi such as the 
one for first-order logic, this argument can be based on an uncomplicated measure such as 
the size of the cut formula. However, the presence of definitions in a logic like Q renders this 
measure inadequate. For example, the following is a natural way to define a cut reduction 
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between a defC and a defR. rule that work on the cut formula: 

n' n" 

E:r — > B pt T,: B pt,A — >C 

V defJZ defC 

S:r — >pt J::pt,A — >C 

S : r,A — >C 

n' n" 

S:r — > B pt T.: B pt,A — >C 



S : r,A — >C 



cut 



Notice that B pt, the cut formula in the new cut introduced by this transformation, could be 
more complex than p t, the old cut formula. To overcome this difficulty, a more complicated 
argument based on the idea of reducibility in the style of Tait |Tai67j is often used. Tiu and 
Momigliano [TMODj in fact formulate a notion of parametric reducibility for derivations 
that is based on the Girard's proof of strong normalizability for System F |GTL89| and 
that works in the presence of the induction and co-induction rules for definitions. Our 
proof makes extensive use of this notion and the associated argument structure. 



Theorem 4.1.6. The cut rule can be eliminated from Q without affecting the provability 
relation. 



Proof. The relationship between Q and the logic Linc^ treated by Tiu and Momigliano 
can be understood as follows: Linc^ does not treat the V quantifier and therefore has no 
rules for it. Consequently, it does not have nominal constants, it does not use raising over 
nominal constants in the rules MTZ and 3£, it has no need to consider permutations in the 
id (or initial) rule and has equality rules in place of nominal abstraction rules. The rules in 
Q other than the ones for V, including the ones for definitions, induction, and co-induction, 
are essentially identical to the ones in Line" except for the additional attention to nominal 
constants. 

Tiu and Momigliano's proof can be extended to ^ in a fairly direct way since the addition 
of nominal constants and their treatment in the rules is quite modular and does not create 
any new complexities for the reduction rules. The main issues in realizing this extension 
is building in the idea of identity under permutations of nominal constants and lifting the 
Line" notion of substitution on terms, sequents, and derivations to a form that avoids 
capture of nominal constants. The machinery for doing this has already been developed in 
Lemmas 14. 1.31 and 14.1.41 In the rest of this proof we assume a familiarity with the argument 
for cut-elimination for Line" and discuss only the changes to the cut reductions of Line" 
to accommodate the differences. 

The id rule in Q identifies formulas which are equivalent under ~ which is more per- 
missive than equality under A-convertibility that is used in the Linc^ initial rule. Corre- 
spondingly, we have to be a bit more careful about the cut reductions associated with the 
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id (initial) rule. For example, consider the following reduction: 

S:r,S — ^5' S:S',A — >C n' 

■ mf S 

S,r,A — >C S:S',A — >C 

This reduction has not preserved the end sequent. However, we know B k, B' and so we 
can now use Lemma 14.1.31 to replace H' with a derivation of S : i?, A — > C . Then we can 
use Lemma 14.1.21 to produce a derivation of S : i?,r, A — > C as desired. The changes to 
the cut reduction when id applies to the right upper sequent of the cut rule are similar. 

The V7^ and 3C rules of Q extend the corresponding rules of Line" by raising over 
nominal constants in the support of the quantified formula. The Vi2 and 3TZ rules of 
Q also extend the corresponding rules in Line" by allowing instantiations which contain 
nominal constants. Despite these changes, the cut reductions involving these quantifier 
rules remain unchanged for Q except for the treatment of essential cuts that involve an 
interaction between MTZ and V/Z and, similarly, between 3TZ and 3£. The first of these is 
treated as follows: 

n' n" 

S,/i:r — yB[hc/x\ S:A,5[t/x] — >C 

S : r — > Vx."!b ^'^ S : A,^x.B ^Tc 

S : r,A — >C ^"'^ 



n'lXc.t/h} n" 

: r — > B[t/x\ T, : A, B[t/x] — > C 
S : r,A — >C 



cut 



The existence of the derivation n'JAc.t/Zi] (with height at most that of 11') is guaranteed 
by Lemma 14.1.41 The end sequent of this derivation is S : r[Ac.t//i] — B[h c/ x\\\c.t/h\. 
However, r[Ac.t//i] T because h is new to F and B[h c/ x\\\c.t/h\ k, B[t/x\ because 
{c} = supp(i?) and so Ac.t has no nominal constants in common with supp(-B). Thus, by 
Lemma [4 . 1 . 3 1 and by an abuse of notation, we may consider H'|Ac.//i] to also be a derivation 
of S : F — > B[t/x\. The reduction for a cut involving an interaction between an 3TZ and 
an 3£ rule is analogous. 

The logic Q extends the equality rules in Linc^ to treat the more general case of nominal 
abstraction. Our notion of nominal capture-avoiding substitution correspondingly general- 
izes the Line" notion of substitution, and we have shown in Lemma [4. 1.41 that this preserves 
provability. Thus the reductions for nominal abstraction are the same as for equality, except 
that we use nominal capture-avoiding substitution in place of regular substitution. For ex- 
ample, the essential cut involving an interaction between an \>TZ and an \>C rule is treated 
as follows: 

S0 : AWl — > CWl 
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Here we know s > i holds and thus e, the identity substitution, is a solution to this nom- 
inal abstraction. Therefore we have the derivation IT^ as needed. We can then apply 
Lemma 14.1.21 to weaken this derivation to one for S : F, A — C. For the other cuts 
involving nominal abstraction, we make use of the fact proved in Lemma 14.1.41 that nomi- 
nal capturing avoiding substitution preserves provability. This allows us to commute other 
rules with >C For example, consider the following reduction of a cut where the upper right 
derivation uses an I>£ on a formula different from the cut formula: 



He 

S:F — >B ^■.B,A,s^t — >C 

S : r,A,s>t — >C 



cut 



S : r,A,s>t — >C 



Finally, Q has new rules for treating the V-quantifier. The only reduction rule which 
deals specifically with either the V^C or VTZ rule is the essential cut between both rules 
which is treated as follows: 

n' n" 

S : r — > B\a/x] S : B\a/x], A — >C 

VIZ 

£:r — >Vx.B ^'^ E:Vx.^,A — >C 

S:F,A — >C ™* 

n' n" 

S : F — > B[a/x] S : B[a/x], A — >C 
S : F, A — >C 



cut 



With these changes, the cut-elimination argument for Line extends to i.e., Q admits 
cut-elimination. 

□ 

The consistency of Q is an easy consequence of Theorem 14.1.61 
Corollary 4.1.7. The logic Q is consistent, i.e., not all sequents are provable in it. 
Proof. The sequent — > _L has no cut-free proof and, hence, no proof in ^. □ 



4.2 Adequacy of Encodings and Theorems in the Meta-logic 

The logic Q provides various features such as A-terms, definitions, and V-quantification 
which form a convenient vehicle for encoding computational systems. With all these fea- 
tures, one might rightfully ask if our encodings in Q are faithful representations of the 
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computational systems they describe. This kind of property for encodings, which is for- 
mally known as adequacy, is similar to the one that we have already encountered with 
respect to the specification logic. A proof of adequacy establishes a relationship between 
terms and judgments in an object system and their encoding in Q in such a way that we 
can relate reasoning results proven about the encoding to results about the original system. 
In this section we discuss adequacy in more detail, we describe the general approach to 
proving adequacy, and we present an example which illustrates some of the nuances which 
may arise for particular encodings. 

At a philosophical level, adequacy is the method by which we assign meaning to our logic. 
Without adequacy, the logic has only behavior. Thus, one may naively ask a question such 
as, "what does the V-quantifier mean?" To which a valid answer is that the V-quantifier 
has no meaning in itself. It has the behavior of introducing a fresh nominal constant into 
a formula, but it is only through adequacy that we can interpret this behavior and provide 
it with some meaning. For instance, we might establish a correspondence between nominal 
constants in a ^ formula and free variables in a typing judgment for an object system. In 
this setting, the meaning of V-quantification can be interpreted as quantifying over fresh 
free variables. 

A proof of adequacy for an encoding of an object system in Q consists of two parts: 

1. the description of a bijection between the terms of the object system and their encod- 
ing in Q, and 

2. a proof, based on this bijection, that a judgment in the object system holds if and 
only if its encoding in Q is provable. 

For the second point, the cut-elimination result from Section 14.11 is of critical importance 
since it allows us to restrict the sort of proofs we must consider. Without an indepen- 
dent proof of the cut-elimination property, proving adequacy would require establishing 
something like a cut-elimination theorem relative to each encoding that we wish to prove 
adequate. 

Our ultimate objective is, of course, to prove theorems about the original system. How- 
ever, this follows naturally from the proof of a relevant theorem in G and the adequacy of 
encodings in the following way: 1) using adequacy, object level judgments are translated 
into Q formulas, 2) the relevant theorem proven in Q is used as a lemma on these formulas, 
and 3) using adequacy, the result of that lemma application is then translated back into an 
object level judgment. The end result is that the theorem is proven for the object system 
while most of the reasoning takes place within Q. The cut rule plays an essential role here 
as it allows us to use theorems proven in Q as lemmas which is very useful in reasoning 
and absolutely vital in the adequacy argument outlined above. It is for this reason that we 
cannot simply exclude the cut rule from our logic and hope to avoid the work involved in 
showing cut-elimination. 

It is important to remember that adequacy is only an interface issue, i.e., it is only a 
question about the "inputs" and "outputs" of Q. We show that an encoding of an object 
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m J| (Ax.r) r[x := n] ij. v 
(Xx.r) -II (Ax.r) {m n) ij- v 

Figure 4.1: An evaluation relation for untyped A-terms 
eval (abs R) (abs R) = T 

eval (app M N) V = 3R. eval M (abs R) A eval {R N) V 
Figure 4.2: An encoding of the evaluation relation in Figure HTT] 

system (the "input") is adequate and we use this to relate reasoning results in Q (the 
"output") to results about the original system. Any auxiliary notions that we use within 
the logic in order to establish the results of interest do not matter for the purposes of 
adequacy. This is not to say that we do not care what goes on in between. Certainly we 
have designed the logic Q so that the intermediate reasoning can closely mimic the informal 
reasoning that is typically done. But in the end, the correctness of the reasoning that is 
performed depends only on the adequacy results and the cut-elimination property for Q. 

As an example, let us now consider the adequacy of a proof of determinacy for an 
evaluation relation on untyped A-terms. The evaluation relation of interest is presented in 
Figure 14.11 This example will be sufficient to illustrate the key issues involved in show- 
ing adequacy for an encoding in Q, while a more thorough example is presented later in 
Section 16.5.11 

To represent untyped A-terms in we introduce the type tm along with the constructors 
app : tm — > tm tm and abs : (tm tm) — > tm. Then we encode the evaluation relation 
as a definition for a predicate evai : tm — > tm — > o as shown in Figure 14. 2[ Given this 
definition, we can prove the following determinacy result in Q: 

yt, vi,V2.{eval t vi A eval t V2) D vi = V2. 

What we want to do is use this result to obtain a similar determinacy result for evaluation 
in the original system. We will develop the bijections and the associated adequacy lemmas 
below to be able to obtain such a translation. 

We begin by defining a mapping '"•^ from untyped A-terms to their representation in Q: 

V = X '~ti t2~^ = app ^tr ^^2^ ^(Ax.t)^ = abs (Ax.^r) 

Note that we conflate the names of variables in untyped A-terms with the corresponding 
names in Q. In truth, the bound variables of untyped A-terms will be mapped to bound 
variables of type tm in Q, while the free variables of untyped A-terms will be mapped to 
nominal constants of type tm in Q. Assuming a one-to-one correspondence between such 
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terms, the above mapping is obviously bijective. Moreover, closed untyped A-terms will 
map to terms in G without nominal constants and vice-versa. Thus our representation of 
untyped A-terms is adequate^ 

Since we use the substitution mechanism of Q in the definition of eval to encode substi- 
tution on untyped A-terms, we will later need to know that these two substitution relations 
are related via in the following sense. 

Lemma 4.2.1. Let ti and t2 be untyped \-terms. Then '~ti[x := t2]~' = '~ti~'['~t2~'/x] where 
the substitution on the left takes place in the context of untyped X-terms and the substitution 
on the right takes place in Q . 

Proof. The proof is by a straightforward induction on the structure of ti. □ 

Next we want to show an if-and-only-if relationship between the original evaluation 
judgment and its encoding in Q. This is formalized as follows. 

Lemma 4.2.2. t \^ v has a derivation if and only if — > eval ^t~^ ^v~^ is provable in Q. 

Proof. The proof in the forward direction is by straightforward induction on the derivation 
of t JJ. f . 

For the backward direction we first note that — > eval ^t~^ ^v~^ must have a cut-free 
derivation by Theorem 14.1.61 The proof will be by induction on the height of this cut-free 
derivation. The cut-free derivation must end with deflZ though for ease of presentation we 
may suppose that it ends with defRP^ The interesting case is when considering the second 
clause for evai, i.e., when t = (m n) and the derivation ends as follows. 



evai '"m"' (abs R) — > eval {R ^n"') ^v 
— > evaJ '"m^ (abs R) A evai {R '"n"') '"f ^ 
^ 3r. evaJ ^rrp (abs r) A evaJ (r '"n"') 
— > evai (app ^rrP '"n"') '"f 



- A7e 
defRP 



Here i? is a term of type tm tm. By the bijectivity of we know that (abs R) is 
the representation of an untyped A-term and thus we can apply the inductive hypothesis to 
the upper left sequent. Similarly, we can apply the inductive hypothesis to the upper right 
sequent after using Lemma l4.2.1l to convert {R '"n"') to the representation of a substitution 
over untyped A-terms. □ 

It was essential to applying the inductive hypothesis in the proof of the lemma above 
that our mapping was a bijection. This property would not hold, for instance, if we 



^ A subtle but important point: we do not permit V-quantification at type tm —* tm. Allowing this would 
mean that we will have terms in Q such as abs c for a nominal constant c. Since such a term cannot be the 
image of any untyped A-term, the representation would then not be adequate. 

^ Note that cut-elimination was shown for the logic containing defC and defJZ, whereas defC and defTV 
are only admissible additions to the logic. 
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restricted attention to only closed untyped A-terms in the object language and we still 
allowed V-quantification at type tm and, hence, admitted nominal constants of this type; 
specifically, we would have terms of type tm in Q that do not correspond to any closed 
untyped A-terms. We would then not have been able to apply the inductive hypothesis in 
the proof of Lemma 14.2.21 because we would have to consider the possibility that particular 
occurrences of the 3TZ rule generalize on terms of type tm that contain one or more nominal 
constants. However, it is still possible to use a proof in Q to establish a property about the 
original system even in this case. To do this, we would have to introduce a definition in 
Q for the class of terms of type tm that do not contain nominal constants and we would 
have to relativize the theorem we prove in Q to the class of terms satisfying this definition. 
From this perspective, adequacy is not always just a matter of mapping terms in the object 
system to terms in ^: we may need to map terms in the object system to terms satisfying 
a particular predicate in Q. 

We now return to showing how a theorem in Q about the determinacy of the evaluation 
relation can be combined with the adequacy property for the encoding of untyped A-terms 
to yield a theorem about the determinacy of the evaluation relation in the original calculus. 

Theorem 4.2.3. If t ^ vi and t \^ V2 then vi equals V2- 

Proof. Suppose t J| vi and t JJ- ^2 both have derivations. By Lemma 14.2.21 that means we 
have proofs of — > eval '~t~' '~vi~' and — > eval '~t~' '~V2~'. We also know from before that the 
following has a derivation in Q: 

— > Vt, vi,V2.{eval t vi A eval t V2) D vi = V2. 

Then using the rules V£, DC, ATZ, id, and cut, we can construct a derivation of — > '~vi~' = 
'~V2~'. By Theorem 14.1.61 we know that — '~vi'^ = '~V2~' must have a cut-free derivation. 
This derivation must end with >TZ which applies only if '~vi'^ is equal to '~V2~'. Since is 
a bijection, this means that vi equals V2. □ 

The discussion of adequacy in this section is reminiscent of an earlier discussion relative 
to the specification logic and hence raises the question of what, if anything, is different. 
The main observation here is that the logic Q is significantly richer than the hH^ logic. 
In particular, when proving properties about an hH^ specification, reasoning is conducted 
using general mathematical techniques, while for proving properties about an encoding in 
Q, the reasoning is conducted within Q itself. Thus, when working with Q, we use adequacy 
to connect results proven in G with corresponding results about the original system. One 
may informally think of this as establishing adequacy for the theorems in G relative to their 
counterparts about the original system. 



Chapter 5 



An Interactive Theorem Prover for the Meta-logic 



As part of this thesis, we have developed an interactive theorem prover cahed Abeha for the 
logic Q |Gac08t fGacOQ] . Abella is implemented in OCaml and currently comprises approx- 
imately 4,000 lines of code. This system has been available to the public as open source 
software since March 2008 and has, in fact, been downloaded by several researchers. One 
of the key components of a theorem prover for Q is the treatment of nominal abstraction 
problems. We have discussed in Section [3.2.41 how the task of finding a solution to partic- 
ular instances of the nominal abstraction predicate can be reduced to solving higher-order 
unification problems. Abella makes use of this reduction. Moreover, it assumes that the 
resulting unification problems lie within a restricted class known as the higher- order pattern 
unification class |Mil9H Nip93| . To solve such problems, it uses an algorithm developed by 



Nadathur and Linnell [NL05] that was initially implemented in Standard ML and that has 
subsequently been adapted to OCaml. 

In this chapter, we briefly describe the architecture of Abella; this discussion serves the 
auxiliary purpose of building up ideas and terminology that we need for presenting appli- 
cations of Q in Chapter [71 Abella requires proofs to be constructed through an interaction 
with a user. At any time, the state of a proof is represented as a collection of subgoals, all 
of which need to be proved for the overall proof to succeed. The user applies a tactic to 
a subgoal in order to make progress towards a completed proof. If we think of the proof 
as a derivation constructed in Q, then the subgoals in Abella correspond to sequents in 
the derivation which do not themselves have derivations as yet. Tactics then correspond 
to schemes for applying the rules of G to such sequents in order to (incrementally) fill out 
their derivations. 

There are two guiding principles for designing tactics in Abella: 

1. they should correspond to some combination of rules from Q, and 

2. they should correspond to natural reasoning steps. 

For the most part, the rules of G themselves resemble natural reasoning steps. The role of 
many tactics therefore, is simply to chain these together into larger steps. For example, 
given a goal of the form 

S : r — >yx. HiD ...D HnD C 
we may want to transition in one step into a goal of the following form: 

S, X : r, ffi, . . . , Hn — > C. 
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Tactics arc also used to group together many alternative rules. For example, a "ease 
analysis" tactic may actually perform V£, AC, _L£, defC, 3C, or S/C based on the structure 
of the formula to which it is applied. 

In the rest of this chapter, we describe two areas in which tactics greatly massage the 
rules of Q into a convenient form. The first concerns how hypotheses or lemmas of a 
particular form can be applied to other hypotheses. The second concerns a treatment of 
induction and co-induction which can naturally accommodate even sophisticated inductive 
and co-inductive arguments. 



5.1 A Framework for Using Lemmas 

Suppose we have a hypothesis of the form 

and further hypotheses H[, . . . , H'^ which match Hi,. . . , Hn under proper instantiations of 
the X. Then we would like a tactic to apply the first hypothesis to H[, . . . , H'^, i.e., a tactic 
which finds the proper instantiations for x and chains together the rules of Q to generate a 
new hypothesis C that is the corresponding instantiation of C. To be more specific, let V 
contain H[, . .., H'^. Then we want a tactic which constructs the derivation 



Hn n 

r — [t/x\ r , c [t/x] — ^ B 



T,Hn[t/x\ D C[t/x] — >B 

Hi : 

^ Hi[t/x] r, H2[t/x] D ■ . . D Hn[t/x] D C[t/x] — > B 
r,Hi[t/x\ D ...D Hn[t/x\ D C[t/x\ — > B 
T,yx. HiD ...D HnDC — >B ^ 



DC 



where each Ilj is just the identity rule. In an actual implementation, this construction may 
be accomplished by replacing the variables x with instantiatable meta-variables v and using 
unification between Hi[v/x] and H'- to determine specific values for the v. 

Using the above construction, we can think of more sophisticated ways in which H'- will 
match Hi[t/x]. All that we effectively require is that a derivation of — > Hi[t/x] can 
be constructed automatically. One useful case arises when Hi[t/x\ has the form Vz.H'/ for 
some formula H'-' , and where H'- will match H'-'[a/z\ for some distinct listing of nominal 
constants a which are not in the support of H^' . If such a case holds, then a derivation of 

— > Vz.H^' can be constructed by repeated use of VTZ followed by the initial rule. As 
before, in an actual implementation, we might be working with Hi[v/x] = Vz.H"' where v 
are instantiatable meta-variables. In such a case, we can determine proper instantiations 
for the V by solving the nominal abstraction Xz.H'-" > H'-. 
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Typically, lemmas also have the form 



Wx. HiD ...D HnDC. 



If we have independently proven such a lemma, then we can use cut to bring it in as a 
hypothesis at any time. Then we can use this lemma together with other hypotheses as 
described above so as to derive a suitable instance of C. 

By supporting an easy and direct use of lemmas, the system encourages large proofs to 
be broken down into separate lemmas which build towards a final result. In practice, these 
intermediate lemmas and the points at which they are used are often the most important 
pieces in the development of a proof. In fact, the structure of most arguments is the 
following: use the induction rule, then perform case analysis and finally use particular 
lemmas and the induction hypothesis to obtain the goal. Thus in actual presentation of 
proofs, the detailed proof steps are hidden by default, and instead the focus is on the series 
of lemmas that lead to the desired conclusions [Gac09j . 

A final point worth mentioning is that we deliberately consider formulas of the form 



even though the following form is equivalent and perhaps more easy to read for humans: 



The reason we prefer the first form is two-fold: 1) it has a recursive structure which is easier 
to work with in an implementation, and 2) in the degenerate case the when n = 0, then 
first form is Vx. C while the second is the more obtuse Vx.T D C. In the future, we shall 
always work with formulas in the first form. 

5.2 An Annotation Based Scheme for Induction 

The rule for induction in Q can be somewhat awkward to use from a traditional reasoning 
perspective: it requires one to formulate an invariant S, prove that S is truly an invariant, 
and then use S in place of the predicate that was given by the inductive definition under 
consideration. In traditional reasoning, these steps are often merged into a single idea 
which is called simply "reasoning by induction." In this section we present a treatment of 
induction based on annotating formulas which aims to capture this simplified approach to 
induction. Further, we justify this treatment by translating the tactic that underlies it into 
a particular application of the logical rules of Q. 

Let us consider a very simple inductive argument to introduce the annotation based 
treatment of induction. Suppose we define even and odd on natural numbers as follows. 



Vx. HiA...AHnDC. 



even z = I 
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Suppose we want to prove that if N is even then s N is odd: 

VAT. even N D odd (s N). 

The proof is by induction on the even hypothesis. The annotation based treatment of this 
induction proceeds by creating a new hypothesis (called the inductive hypothesis) of the 
form 

VA^. (even A^)* D odd {s N) 

and changing the goal to 

VA^. (even N)® D odd (s N). 

The * annotation indicates that the inductive hypothesis can only be applied to an argument 
which has that same annotation. The @ annotation indicates that when this atomic formula 
is subjected to case analysis, any recursive calls to even will be annotated with *. In all 
other respects, the annotations are to be ignored, and besides the induction tactic there is 
no way to introduce these annotations. In this way, Abella allows the inductive hypothesis 
to be applied only when the distinguished inductive argument has been subjected to case 
analysis. 

Coming back to the proof, let us abbreviate the inductive hypothesis by IH. Then we 
can eventually do case analysis on the even hypothesis which leads to the following sequents. 

IH — > odd {s z) IH, (even A^')* — > odd (s (s (s N'))) 

The first of these is easily provable. In the second we apply the inductive hypothesis which 
is allowed based on the annotations, and this produces a hypothesis of odd (s A'^'). The 
rest of the proof is straightforward. 

We will now show how this annotation based treatment of induction is sound by trans- 
lating it to rules from Q. Suppose we want to prove the following. 

Vx. i?i D . . . D iJn D C 

Further, assume that we want to do this by induction on Hi = p t where p is defined by 
Vy.p y = B p y. Then we define the invariant S as 

S = Ay.Vf. y = tD HiD ...D HnD C 

where y = t denotes an equality between appropriately typed tuples involving the indicated 
terms. Using this invariant, we can construct the following derivation in Q. 



Hs ^ n 

y:BSy^Sy x : S t, Hi, . . . , Hn ^ C 

X ■.pt,Hi,...,Hn — >C 
X : Hi, . . . , Hn — » C 

x: > HiD ...D HnI)C -^'^ 

■ : ■ ^Wx. HiD ...D HnDC 
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Now, the missing derivation 11 is trivial to construct using Vi3, d£, >7?. and id. We fill in 
the other missing derivation, 115, as follows: 

X : B S t, Hi, . . . , Hn — > C ^ 

^^CSNAS 



x,y: B S y,y = t, Hi, . . . , H^ — >C 
x,y:BSy — > y = tDHiD...DHnZ)C 

^ V7^ 

y:BSy — y W. y = t Z) Hi D . . . ^ Hn D C 

Then we fill in H'g based on the content of the inductive argument carried out within the 
annotation based scheme. 

To complete this picture, let us consider how uses of the induction hypothesis in the 
annotation based treatment of induction correspond to making use of the hypothesis B S t 
in constructing the derivation Il'g. Within the annotation based treatment, the induction 
hypothesis has the following form: 

W. Hi D . . . D {p ^* D . . . D Hn D C. 

Given the restrictions on annotations, this hypothesis can only be used if instantiations are 
found for the x such that (p i}* is equal to one of the {p s)* which occurs as a result of case 
analysis on the original hypothesis of {p t)®. By understanding case analysis as defC in 
Q, we see that these occurrences of {p s)* for which the induction hypothesis is applicable 
are exactly those occurrences oi p m B p t. In turn, the induction invariant is available for 
those same occurrences of p when constructing the derivation IT^, which is precisely what 
is realized via the hypothesis B S t. Thus the annotation based treatment of induction can 
be translated to a proper derivation in Q, and therefore the treatment is sound. 



5.3 Extensions to the Basic Scheme for Induction 

The treatment of induction that we have just described can be extended in a few different 
ways. Each of these brings some additional complications to the construction of a corre- 
sponding derivation in Q. For clarity of presentation, we shall consider each extension in 
isolation, but we note that they could all be combined. 



5.3.1 Induction on a Predicate in the Scope of Generic Quantifiers 

We can extend the annotation based treatment of induction to work with predicates which 
occur underneath V-quantifiers. Suppose again we want to prove 

Vf . //i D . . . D i?„ D C 

where, this time, we want to induct on Hi = Vz. p t where p is defined by Vy.p y = 
B p y. Within the annotation based treatment, nothing needs to be changed to cater to 
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this situation: {p i) is annotated with * in the inductive hypothesis and with @ in the goal 
and the rules for applying an inductive hypothesis with Vs over the inductive argument are 
the same as those described in Section [STTl 

We justify this treatment by defining the invariant S as follows. 

S = Ay.Vx. {Xz.t\> y)Z) HiD ...Z) HnZ)C 

We can follow the original construction with this invariant, and the only wrinkle is in the 
construction of XI^, a derivation oi y : B S y — > S y. We construct this as follows. 

X : B S t,Hi, . . . ,Hn — » C 

x,y:B Sy, {Xz.t> y), Hi, . . . , H^ ^ C ~ '^^^^^ 
x,y:BSy — > (Xz.t > y) D Hi D . . . D H^ D C 
y:BSy — >yx. {\z.t\> y) D Hi D . . . D Hn D C 

Here and in the future, we simplify the presentation by treating the free variables z in t as 
nominal constants. Now we fill in 11^ based on the content of the inductive argument carried 
out within the annotation based scheme. After using V£ and case analysis on Hi = Vz.p t 
we will have B p t and also B S t. Thus we have the inductive hypothesis available for the 
recursive calls to p. The restrictions enforced by the nominal abstraction in S are the same 
as those enforced when applying hypotheses which have embedded occurrences of V, as per 
the discussion in Section [5. 1[ Thus this treatment is sound. 



5.3.2 Induction in the Presence of Additional Premises 

We extend the annotation based treatment of induction by allowing induction in the context 
of other hypotheses. That is, instead of proving • : • — > Vx. Hi D . . . D Hn D C, we prove 

S : r — >yx. HiD ...D HnD C 

Within the annotation based treatment of induction, there is nothing that needs to be 
changed to handle this case: we annotate the goal and generate an annotated induction 
hypothesis which is added to the other hypotheses. 

To verify the soundness of this extension, we reconstruct the original soundness ar- 
gument using the invariant S' = Ay. VS. /\T D S y where S is the invariant prescribed 
in the original construction and /\ F denotes the conjunction of all formulas in F. Then 
the only significant change in the construction is that lis needs to be a derivation of 
y : B S' y — > S' y. Using VT^, D TZ, and A£ this becomes T,,y -.T^B S' y — > S y. Finally, 
we know MTi.My. /\T D S' y D S y hj the definition of S", and since B does not use its 
first argument negatively (due to stratification), we know VS.Vy. /\F D B S' y D B S y. 
By using this, all we have left to show is T,,y : T, B S y — > S y which we can unfold as in 
the original construction and what is left matches the work done in the annotation based 
treatment. 
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5.3.3 Delayed Applications of the Induction Hypothesis 

Another extension we can make is to allow the inductive hypothesis to be applied not just 
for immediate recursive calls, hut for finitely nested ones as well. This is supported in the 
annotation based treatment by saying that case analysis on a hypothesis with a * annotation 
results in recursive calls which also have the * annotation. For example, taking even and 
odd as before, suppose we want to prove every natural number is either even or odd: 

VAT. nat N D even N V odd N. 

The proof is by induction on nat N. Thus we have the inductive hypothesis IH as follows: 

VA^. (nat A^)* D even A^ V odd N. 

When we perform case analysis on the hypothesis {nat N)® in the goal it leads to the 
following sequents. 

IH — > even z V odd z IH, {nat N')* — > even {s N') V odd {s N') 

The first sequent is trivial to prove, and we can apply case analysis to (nat A^')* in the 
second to get the following two sequents. 

IH — y even {s z) V odd {s z) IH, {nat N")* — ^ even (s {s N")) V odd {s {s N")) 

Again the first sequent is trivial. In the second sequent we can apply the inductive hypoth- 
esis to get the sequent 

. . . , even N" V odd N" — ^ even {s {s N")) V odd {s {s N")). 

Now we can apply \/C and the rest of the proof is trivial to construct. 

The justification for this extension in Q is to use the invariant S' = Xy.S y A B S y in 
the original construction where S is the original invariant. Then only significant change in 
the construction is that we are required to fill out the following derivation 

Hi U2 
y:BS'y — >S y y : B S' y — ^B S y 

y:BS'y — ^ S' y 

Now note that \/x. S' x D S x and Vx. S' x D B S x are both trivially provable after 
expanding the definition of S". Since B does not allow its first argument to occur negatively 
(due to stratification) this means we can inductively construct derivations of Vx. B S' x D 
B S X and Vi:. B S' x D B {B S) x. The construction of the derivation 112 follows directly 
from the first of these. The derivation Hi contains the real content of the inductive proof. 
If case analysis is eventually used on Hi = p t in this derivation then the y will have been 
instantiated with t so that we have the hypothesis B S' t. Thus we will have B S t which 
is the regular inductive hypothesis and also B {B S) t which is the inductive hypothesis 
applied to recursive calls nested at depth two. This depth can be extended to any finite 
number by repeating the above construction with the appropriate <S". 



5.3. EXTENSIONS TO THE BASIC SCHEME FOR INDUCTION 



63 



5.3.4 Nested Inductions 

The use of annotations can be extended to allow nested inductions. For example, suppose 
we define the following predicate ack for computing the Ackermann function. 

ack zN {s N) = T 
ack {s M) zR = ack M {s z) R 
ack {s M) {s N)R = 3R'. ack {s M) N R' A ack M R! R 

And suppose we want to prove that this function is total in its first two arguments: 

VM, A^. nat M D nat N D 3R. nat R A ack M N R 

The proof requires an outer induction on nat M and an inner induction on nat N. In the 

annotation based treatment of induction, this is realized as follows. Applying induction to 
nat M produces the outer inductive hypothesis 

VM, N. {nat M)* D nat N D 3R. nat R A ack M N R 

and the goal 

VM, N. {nat M)® D nat N D nat R A ack M N R. 
Then applying induction to nat N in this goal produces the inner inductive hypothesis 

VM, N. {nat M)® D {nat N)** D 3R. nat R A ack M N R 

and the goal 

VM, N. {nat M)® D (nat N)®® D 3R. nat R A ack M N R. 

The treatment of annotations is the same as described before. The annotations * and 
** as well as @ and @@ are considered distinct and unrelated. Thus the outer inductive 
hypothesis applies as before, while the inner inductive hypothesis can only be applied to 
{nat M)® from the goal and something with the ** annotation which can only come from 
case analysis on (nat N)®®. 

We will use this treatment to finish the proof of totality for the Ackermann function. Let 
IH and IH' be the outer and inner induction hypotheses, respectively. Then the interesting 
part of the proof comes after we have done case analysis on both (nat M)® and (nat N)®®. 
In particular, in the case where M = s M' and N = s N' we need to prove the following 
sequent. 

IH, IH', {nat {s M'))®, {nat M')* , {nat N')* — > 3R. nat R A ack {s M') {s N') R 

Note that we must have performed contraction on (nat M)® prior to case analysis in order 
to keep a copy of it. Then we can apply the inner induction hypothesis to (nat (s M'))® 
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Figure 5.1: Transition diagrams for two different processes 



and (nat N')* to get tlie liypotheses nat R' and ack (s M') N R' for some new variable R'. 
Applying the outer inductive hypothesis to (nat M')* and nat R' produces the hypotheses 
nat R" and ack M' R' R" . Then we can apply 37?. with R = R", and the rest of the proof 
is trivial. 

We now justify the annotation based treatment of nested induction. As in the original 
construction, suppose we want to prove 

yx. HiZ) ...D HnD C. 

And suppose the proof is by an outer induction on Hi = p t where p is defined by Vy.p y = 
B p y and an inner induction on Hj = q s where q is defined by \/z.q z = B' q z. We proceed 
with the original construction using the original invariant S for the outer induction. This 
leaves us with a need to prove the following. 

X : B S t,Hi,...,Hn — >C 

Now we apply contraction on Hj = q s and induct on one of the copies using the following 
invariant. 

S' = A£Vx. B S tD z = sD HiD ...D HnDC 

The only non-trivial sequent to prove will he z : B' S' z — > S' z. Applying V7?, D TZ, and 
—^CSNAS^ this reduces to showing 

X : B' S' s,B S t,Hi,...,Hn — >C 

Now from B S t we have the outer induction invariant available for the recursive calls to 
p which arise from case analysis on Hi = p t. From B' S' s we have the inner induction 
invariant available for the recursive calls to q which arise from case analysis on Hj = q s. The 
caveat is that the inner induction invariant S' requires a proof of B S t. This constrains the 
variables x in the inner induction variant based on their occurrences in t. In the annotation 
based treatment, the requirement of a hypothesis with a @ annotation enforces exactly this 
condition for the inner inductive hypothesis. 

5.4 An Annotation Based Scheme for Co-induction 

We can also use annotations to treat co-induction. To illustrate how this works, we will take 
an example from the domain of process calculi. Let us consider the two processes depicted 
in Figure [531 Here the circles represent states and the arrows represent possible transitions 
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between those states. We say that a P is simulated by a state Q if for every transition that 
P can make to a state P' there exists a state Q' to which Q can transition and such that P' 
is simulated by Q'. We consider the notion of simulation as co-inductive so a state can be 
simulated by another state even if both have infinite (possibly cyclic) chains of transitions 
from them. Suppose then, that we want to show that the state po is simulated by the state 
qq. We can see that this is true by considering all possible transitions from these states and 
recognizing that pi is simulated by the state qi . 

Let us now think of conducting this example in Q. We start by encoding the two 
processes using the following definition of step. 

step poPi = T step pipo = T 

step go gi = T step qiqo = T step gi g2 — T 

Then we define simulation as a co-inductive predicate sim P Q which holds when the process 
P is simulated by the process Q. The precise definition is as follows. 

Sim PQ = VP', step P P' D 3Q' . step Q Q' A sim P' Q' 

Our goal is then to prove sim go which we generalize based on the argument sketched 
above into the following formula to prove: 

VP, Q. (P = A g = go) V (P = A Q = gi) D sim P Q. 

If we apply annotation based co-induction to this goal we get the co-inductive hypothesis 

VP, Q. (P = A Q = go) V (P = pi A Q = gi) D (sim P Q)+ 
and the new goal 

VP,Q. (P = po AQ = go) V(P = pi AQ = gi) D (simPQ)*. 

Note that the annotations for co-induction apply to the consequent of an implication rather 
than one of the hypotheses. The rules for these new annotations are as follows. If we 
unfold (i.e., use dcfJZ on) a co-inductive definition with a ^ annotation then all of its 
recursive calls have the + annotation. Hypotheses with a + annotation are obtained from 
the co-inductive hypothesis and can only be used to match a goal with the -|- annotation. 
For all other purposes, the annotations can be ignored. The proof of the above simulation 
eventually reduces to the following two sequents where CH is the co-inductive hypothesis. 

CH — > {sim pq go)* CH — > {sim pi qi)"^ 

The proofs of these two sequents are similar, so we will consider only the first one. Here if 
we apply defR, we will eventually end up with the sequent 

CH — y {simpi gi)"*". 
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At this point we can apply the co-inductive hypothesis to get a hypothesis which wih match 
the goal. 

We can justify the annotation based treatment of co-induction by translating it into 
appropriate rules from Q. Suppose we want to prove the following where p is defined by 
yy.p y = Bpy. 

yx. Hi D . . . D Hn D p t 
We proceed as in the construction for induction to get the sequent 

x:Hi,...,Hn — >pt. 

We then apply co-induction with the invariant S as follows. 

S = Xy.3x. y = tAHiA...AHn 

The CITZ rule applied to the earlier sequent requires us to show x : Hi, ... , Hn — > S t 
which is trivial and y : S y — > B S y which contains the real content of the co-inductive 
proof. A derivation of this later sequent can be constructed as follows. 

X : Hi, . . . , Hn — > B S t ^ 

^ ^ ,-rr 7; ^^CSNAS 

y,x : y = t,Hi . . . ,Hn — > B S y 

^ AC 
y,x : y = t A Hi A . . . A Hn — > B S y 

y:3x.y = tAHiA...AHn — > B S y 

The derivation for the upper-most sequent here can be constructed based on the argument 
carried out in the the annotation based treatment. Within that argument, when the goal 
{p t)'^ is unfolded, the recursive calls will be annotated with -f- and will be provable using 
the co-inductive hypothesis. This is what is given in the formal derivation by the goal B S t. 

This annotation based treatment of co-induction can be extended in ways similar to 
the inductive treatment. For example, we can allow co-induction within a context of other 
hypotheses, or we can allow the goal to be unfolded multiple times before applying the 
co-inductive hypotheses. The soundness arguments for these extensions are similar to the 
inductive case. 
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A Two-level Logic Approach to Reasoning 

One approach to reasoning about object systems is to encode their descriptions directly 
into definitions in Q and to then use the inference rules of Q with these definitions. In 
this chapter we explore an alternative approach. In particular, we show how the meta- 
logic Q can be used to encode the specification logic hH^ and to then reason about hH^ 
specifications through this encoding. This is the two-level logic approach to reasoning that 
was enunciated by McDowell and Miller earlier in the context of the meta-logic FOX'^^ 
|MM02| . 

An important part of assessing the value of the two-level logic approach to reasoning 
is understanding both its benefits and its costs. One benefit is that the specification logic 
carves out a useful subset of the specifications that are possible in the meta-logic while 
at the same time possessing a complete proof search procedure which make it possible to 
execute the specifications. A second benefit is that by encoding an entire specification logic 
in the meta-logic, we can formalize properties of the specification logic and make them 
available during reasoning. An auxiliary observation in this context is that because of the 
way the specification logic can be used to encode object systems, the properties of this logic 
that are used in meta-logic reasoning often turn out to be based on intuitions about the 
properties of the object systems themselves. From a cost perspective, one issue with the 
two-level logic approach to reasoning is that there is an additional overhead to reasoning 
about specifications through the encoded semantics of the specification logic rather than 
directly. Another cost to be considered is that because the specification logic is only a 
subset of the full range of specifications allowed by the meta-logic, this approach in some 
ways limits what we are able to say within a specification. 

After all aspects are taken into account, we believe that the combination of the hH^ 
specification logic and the meta-logic Q seems to provide a nice balance between the ben- 
efits and costs of the two-level logic approach to reasoning. The specification logic hH^ 
elegantly encodes many systems of interest, and there are efficient implementations of this 
specification logic. Moreover, as we saw in Section [2.31 the properties of hH^ provide useful 
results during reasoning. Finally, as we shall see in this chapter, the encoding of hH^ into 
Q is lightweight and therefore imposes little overhead on the reasoning process. 

The rest of this chapter is laid out as follows. Section [6.11 describes the encoding of hH^ 
into G. Section 16.21 formalizes some properties of hH^ as theorems in Q; these theorems 
can then be used as lemmas to simplify subsequent reasoning. Section 16.31 illustrates our 
specific realization of the two-level logic approach to reasoning and demonstrates its power 
by using it to formalize the informal proof that we have presented in Chapter [1] of the fact 



67 



6.1. ENCODING THE SPECIFICATION LOGIC 



68 



that types are preserved by evaluation in the simply-typed A-calculus. Finally, Section [6.51 
discusses the issue of adequacy relative to the two-level logic approach to reasoning. 

6.1 Encoding the Specification Logic 

There are two components to our encoding of the specification logic hH^ into the meta-logic 
Q. First, we encode the syntax by defining a mapping -0 from specification logic types and 
terms to meta-logic types and terms. Since both logics are constructed from Church's simple 
theory of types and hence contain subsets of expressions that are isomorphic, this encoding 
can be very shallow. Second, we encode the semantics of hH^ (i.e., the provability relation) 
via the definition of a suitably chosen atomic judgment in Q. This encoding is lightweight 
which makes later reasoning fairly transparent. To aid in that reasoning we observe some 
formulas that can be proved in Q involving the judgment that encodes specification logic 
provability. These theorems of G can be used as lemmas to shorten other proofs that we 
would want to construct in Q. 

6.1.1 Encoding the Syntax of the Specification Logic 

The types of our specification logic are mapped to isomorphic types in the meta-logic. We 
define the mapping tp on types as follows. 

iP{t) = t if r is a base type ~^ ''"2) = fp{Ti) ^'(''"2) 

For each specification type, we assume a bijective mapping between eigenvariables of that 
type (in the specification logic) and nominal constants of that type (in the meta-logic). We 
denote this mapping using subscripts: the eigenvariable h maps to the nominal constant 
a/j and the nominal constant a maps to the eigenvariable ha. Using this, we define the 
encoding of specification terms as follows. 

ip{c) = c if c is a constant V'(^) = o/i if ^ is an eigenvariable 

i/j{x) = X if 2; is a variable ip{Xx.t) = Xx.ip{t) 'ip{ti 12) = ip{ti) ^'(^2) 

Now for clarity and correctness of the encoding, we make two adjustments to this map- 
ping. First, the specification logic type o for formulas is mapped to a distinguished type frm 
to avoid conflicting with the type o for meta-logic formulas. Second, we introduce a distin- 
guished type atm for atomic specification logic formulas and a constructor (•) : atm frm 
to inject such atoms into formulas. We then modify the type of the specification logic D 
connective to atm — > frm — > frm to enforce the restriction that the left-hand side of an 
implication is atomic. 

Note that we map specification logic constants to constants of the same name in the 
meta-logic. This means, for example, that the meta-logic will have two constants called A. 
One will be the logical connective of Q with type o ^ o — > o, and the other will be a term 
constructor for representations of specification logic formulas with type frm frm — > 
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frm. We will always be able to distinguish between such constants based on the context 
in which they are used. 

Our encoding is clearly bijective. Furthermore, typing judgments are preserved by the 
bijection in the following sense. Let /C denote the set of meta-logic constants which represent 
the constants of the specification logic, then S h t : r is a valid specification logic typing if 
and only if /C h ijj^t) : '(/'(r) is a valid meta-logic typing where ip{T,) = {il^{h) \ h E S}. 
Since our mapping ip is bijective we will use the mapping ^jJ~^ freely. 

6.1.2 Encoding the Semantics of the Specification Logic 

In the encoding of the semantics of our specification logic, we shall use two auxiliary notions. 
First, we introduce a type nt for natural numbers with the constructors z : nt and s : nt ^ 
nt and the predicate nat : nt ^ o defined by 

nat z = T nat (s N) = nat N 

As we see below, these numbers will be used to capture the idea of the height of a derivation 
in our encoding of the provability relation of the specification logic. Second, we introduce 
a type atmlist with constructors nil : atmlist and the infix :: : atm — > atmlist atmlist 
and the predicate member : atm — > atmlist o defined by 

member A {A :: L) = T member A (B :: L) = member B L 

We shall use lists of this kind and the corresponding membership predicate to encode the 
addition to premise sets when trying to prove implicational formulas in hH^. 

We encode hH^ provability in Q through the predicate seq : nt —>■ atmlist — > frm o 
that is defined by the clauses in Figure 16.11 This encoding of hH^ provability derives from 
McDowell and Miller [MM02] . As described in Chapter [21 proofs in hH^ contain sequents 
of the form S : A, £ h G where A is a fixed set of closed D-formulas and £ is a varying set 
of atomic formulas. The eigenvariables in T, are encoded as nominal constants in Q. The 
meta-logic predicate prog : atm frm — > o is used to represent the D-formulas in A: the 
D formula Vx.[Gi D • • • D G„ D A] is encoded as the clause Mx.prog A (Gi A • • • A Gn) — T 
and \/x.A is encoded by the clause "ix.prog ^ T = T. We denote these prog clauses by ^(A), 
and we note that such clauses do not contain any nominal constants since the formulas of 
A are closed. Finally, the hH^ sequent is encoded as seq^y V'(^) V'(G) where we define ip 
on lists of atomic formulas as ip{An, . . . , Ai) = Ai :: ... :: A^ nil. The argument A^, 
written as a subscript, roughly corresponds to the height of the proof tree and is used in 
inductive arguments. To simplify notation, we write L lh„ G for seq„ L G and L Ih G for 
3n.nat n A seq„ L G. When L is nil we write simply lh„G or IhG. 

Proofs of universally quantified G formulas in hH^ are generic in nature. A natural 
encoding of this (object-level) quantifier in the definition of seq uses a (meta-level) V- 
quantifier. In the case of proving an implication, the atomic assumption is maintained 
in a list (the second argument of seq). The last clause for seq implements backchaining 
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Figure 6.1: Second-order hereditary Harrop logic in G 

over a fixed hH^ specification (stored as prog atomic formulas). The matching of atomic 
judgments to heads of clauses is handled by the treatment of definitions in the logic Q, 
thus the last rule for seq simply performs this matching and makes a recursive call on the 
corresponding clause body. 

Note that for each specification type r we have the constants V,- : (t — > frm) — > frm 
and 3t- ■ {t ^ frm) frm, thus we should have seq clauses for each of these. However, 
here and going forward, we present only general rules for V and 3, knowing that the actual 
rules are easily derived from these. 

With this kind of an encoding, we can now formulate and prove in Q statements about 
what is or is not provable in hH^. In constructing such proofs, we shall sometimes need 
induction over the height of derivations. Such arguments can be realized via induction on 
the predicate nat n in a formula of the form 3n.nat n A seq^ L G occurring on the left of a 
sequent. We may sometimes also want to use strong induction in our arguments. Towards 
this end, we introduce the auxiliary predicate it : — > nt — > o defined as follows. 

ltz{s N)^T 
It (s M) {s N) = ltM N 

Now, a formula such as \ln.{nat n) D P can be proven using strong induction by proving 
Vn, m.{nat n Alt n m A nat m) D P and using induction on nat m. Section 16.31 contains an 
example that uses this approach. Finally, the defC rule can be used to realize case analysis 
based reasoning in the derivation of an atomic goal. Using this rule leading eventually to 
a consideration of the different ways in which an atomic judgment may have been inferred 
in the specification logic. 
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In the rest of this chapter, we shall conduct all of our reasoning by constructing deriva- 
tions in Q, with the exception of adequacy arguments where we will need to reason over 
G derivations. Thus, when we say that "a formula F is provable" or that "a formula F is 
provable in Q" , we shall mean that the sequent — > F is provable in Q. Moreover, when 
we talk about the "proof of a formula F" we shall mean the derivation in Q of the se- 
quent — > F. When we say that such proofs are constructed "by induction" we shall mean 
that we use the IC rule of G with an induction invariant derived from the entire sequent 
being considered. We shall also talk about proving a formula by induction on one of its 
hypotheses (i.e., one of its subformulas to the left of a d) by which we mean following the 
constructions for induction described in Chapter O The construction of the derivations in 
G is often straightforward, with only a few sequents which may be interesting, and so we 
shall frequently skip directly to such sequents. Finally, we shall often use running text to 
describe the construction of a derivation in G', this is possible since the rules of G often 
mimic traditional mathematical reasoning, but it must be remembered that the proof is 
still being carried out within G- 

Several of the results that we present below concern the provability of formulas in 
G- While our proofs of these results here involve arguing about derivations in G, it is 
important to note that these arguments sketch a scheme for actually carrying out the 
proof within a system such as Abella. Thus, the justification for using such formulas in 
subsequent arguments is completely formalized through actual mechanical proofs and the 
lemma mechanism of Abella; in particular, the resulting style of (mechanized) argument 
does not rely on the informal proofs we present to justify the approach. 

6.1.3 Some Provable Properties of the Specification Logic 

It is often convenient to reason directly with formulas of the form L \\- G rather than 
expanding them into 3n.nat n A seq^ L G. In this section, we show that certain schematic 
formulas corresponding to Ih judgments are provable in G. Using these as lemmas allows us 
to encode certain direct forms of reasoning about Ih in G proofs. The particular formulas 
that we show to be provable in G closely mirror the clauses which define the seq predicate. 

Lemma 6.1.1. The following formulas are provable in G- 

1. V£.(£lhT) 

2. ye,gi,g2.{e\^gi) 13 (^IH5i V52) 

3. V£,<7i, 52.(^1^52) 15 (^Ih^i V52) 

4. V£, <7i, 92.(^1^51) A (£lh<72) D (^1^51 A 52) 

5. ye,a,g.{a :: ihg) D {iha D g) 



6. y£,g.{Vx.{e\^{g x)) D (^IhV^) 
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7. W,g,t.{£\^{g t)) D {£\^3g) 

Proof. It is easy to see that the formulas [H [21 El El and [7| are provable in Q by unfolding 
{i.e., using defR on) the goal formulas. 

In the straightforward construction of a proof of formula [H we shall need to construct 
a proof of the following sequent. 

nat n, seq„ £ gi, nat m, seq^ £ g2 — > 3p.nat p A seq^ £ {gi A 5(2). 

To prove this we must reconcile the measures n and m. Towards this end, we might first 
show that the following formula that relates n and m is provable in Q: 

Vm, n.{nat m) A [nat n) D (it m n) y [m = n) V (it n m). 

This can be proved by induction on one of the nat hypotheses. Then we can also prove the 
following formula which allows us to increase the measure of a derivation: 

ym,n,£,g.{ltmn) A{£\^mg) D {£Kg)- 

This is proved by induction on It m n. Using these two lemmas the rest of the proof is 
straightforward. 

In constructing a proof of Formula El we will find it necessary to construct a proof of 
the sequent 

3n.nat n A seq„ £ {g a) — > 3m. nat m A seq^ £ (Vg). 

where a is a nominal constant. Now when we apply 3C, we have the sequent 

nat (n' a) A seq(„/ £ {g a) — > 3m. nat m A seq^ £ (Vg). 

The raising of n' over a here prevents this proof from going through immediately, thus we 
need the following lemma. 

Vn.(Vx.nat (n x)) D 3p.n = Xy.p 

This is proved by induction on nat. Once we apply this lemma we have n' = Xy.p for some 
p and rest of the proof is straightforward. □ 

6.2 Formalizing Meta-Theoretic Properties of the Specification Logic 

In Section 12.21 we observed certain meta-theoretic properties of hH^ which are useful in 
reasoning about hH^ specifications. Since we have encoded the entire specification logic 
into Q, we can formalize such properties of the specification logic within Q. In particular, 
we can consider particular formulas in G that encode these properties and then we can 
show that these formulas are provable in Q. Doing this will allow us to later bring these 
properties to bear on particular reasoning tasks that are carried out using Q. The particular 
properties of hH^ that we consider in this way in this section are monotonicity, instantiation, 
and cut admissibility. With one exception, the proofs of these properties never use a prog 
formula except in the initial rule and thus the proofs are independent of any particular 
specification encoded in prog. The one exception is specifically noted, and even here the 
proof is independent of the specification. 
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Monotonicity The statement of monotonicity for hH^, expressed as a formula of Q, is 

Vn, ^1, £2, ll~n5) A (Ve.member e £i D member e £2) ^ (^2ll~n<7)- 
The proof is by straightforward induction on the hypothesis nat n in £1 Ih^ 3. 

Instantiation The instantiation property recovers the notion of universal quantification 
from our representation of the specification logic V using V. This property is expressed in 
Q through the formula 

W,g.{Vx.{e x)K{9 x)) D \/t.{e t)K{9 t). 

Stated another way, although V quantification cannot be replaced by V quantification in 
general, it can be replaced in this way when dealing with specification judgments. The 
proof of this formula is by induction on the hypothesis nat n in {£ x) Wn ig x), and the 
following two auxiliary results are useful in constructing this proof. 

y£, a. (Vx. member (a x) {£ x)) D \/t. member (a t) {£ t) 

Va, h.iyx.prog (a x) {b x)) D Mt.prog (a t) {b t) 

The first is proved by induction on the member hypothesis. The second depends on the 
particular specification encoded in prog, but the core of the proof is always applying defC to 
prog (a x) (5 x) followed by defR. on prog (a t) ih t). This will succeed for any specification 
since prog only performs pattern matching and contains no "logic." 

Cut admissibility The cut admissibility property of hH^ is expressed in Q through the 
formula 

y£,a,g.{£\^{a)) A{a::£\^g) D {£\^g). 

The proof is by induction on the nat n assumption in 3n.nat n A seq„ {a :: £) g. If n = z 
then the seq judgment is impossible, thus we know n = s m for some m. The proof proceeds 
by case analysis on the seq judgment. 

1. One case is when g = {a') and member a' (o :: £). Applying defC to this member 
hypothesis results in two additional cases: either a = a' so that £ \\- (a) holds by 
assumption, or we know member a' £ and thus £\\- {a') holds by applying defRP and 
init. 

2. Another case is when g = a' D g' so that we have a' :: a :: £\hng'- We then apply the 
monotonicity property once to get a :: a' :: £\\-mg' and another time to get a' :: (a). 
Then we can apply the inductive hypothesis to get a' :: £\\~ g' and therefore £\\-a' D g' . 

3. The remaining cases follow directly from the inductive hypothesis and the results in 
Lemma 16.1.11 
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prog [eval (abs A R) (abs A R)) T = T 

prog {eval (app M N) V) {{eval M {abs A R)) A {eval {R N) V)) = T 
prog {of {app M N) B) {{of M (arr A B)) A {of N A)) = T 
prog {of {abs A R) {arr A B)) (ix.ofx A D {of{R x) B)) = T 

Figure 6.2: prog clauses for simply-typed A-calculus 

6.3 An Example of the Two-level Logic Reasoning Approach 

Within this framework of the two-level logic approach to reasoning, we come back to the 
example of evaluation and typing for the simply-typed A-calculus. We use the hH^ specifica- 
tion of these notions given in Section 12.31 which yields the prog clauses shown in Figure 16. 2[ 
We can now formalize the type preservation theorem completely in the meta-logic: 

Theorem 6.3.1. The following formula is derivable in Q. 

Ve, t, v.{\V- {eval e v)) A (Ih (of e t)) D (Ih {ofv t)) 

Proof. The informal argument for the proof of type preservation presented in Section 12.31 
is based on strong induction over the height of hH^ derivations. We will now show how we 
can mimic that same style of induction in Q. We first generalize the formula we want to 
prove to the following. 

Ve, i, V, i,j.{nat j) A {It i j) A (seq^ nil {eval e v)) A (Ih (of e t)) D (Ih (of v t)) 

If we prove this generalization, then we can use the cut rule to bring it in as a hypothesis 
in a proof of the original formula. The resulting sequent will then be easily provable. To 
prove the generalization, we use induction on nat j. In the case where j = z, the proof is 
trivial since it i z is unsatisfiable. In the other case we have j = s j' and we know the result 
holds for any i such that it i j' . In this way, we can completely handle the strong induction 
within our logic. 

The rest of proof of the generalization closely follows the informal argument with only 
the following points worthy of note. 

Case analysis on specification judgments in the informal argument is realized in the 
construction of a derivation in G by using defC twice. Specifically, if we want to do case 
analysis on a derivation such as seq^ nil {eval e v) then we apply defC which results in two 
cases. The first is that member {eval e v) nil holds which is impossible. The second is that 
^h.prog {eval e v) bAseq^/ nil b holds for some i' such that i = s i' . Then we can apply defC 
on prog {eval e v) b which gives us the two cases corresponding to the clauses for forming 
evai judgments. 
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The instantiation and cut admissibility properties of our specification logic which are 
used the informal argument are now formal lemmas which are applied in this proof. Thus 
the entire proof is formally constructed within Q while still using meta-theoretic properties 
of hH'^. □ 



6.4 Architecture of a Two- level Logic Based Theorem Prover 

The architecture of the Abella theorem prover for G presented in Chapter [5] can be naturally 
extended to support the two-level logic approach to reasoning that is the topic of discussion 
in this current chapter. In fact, the Abella system already incorporates such an extension 
|Gac09| . In this section we briefly describe the architectural changes which facilitate this 
support. Most of these changes can be motivated from the type preservation example shown 
in the previous section which we will refer to as simply "the example." 

The first step in the two-level logic approach to reasoning is encoding a specification into 
the proper prog statement. Abella facilitates this by reading specifications written in the 
subset of AProlog which corresponds to hH^. In this way, the specifications used by Abella 
are directly executable by AProlog implementations such as Teyjus without the potentially 
error-prone need to translate between different input languages. 

To reduce syntactic overhead associated with the two-level logic approach to reason- 
ing, Abella has specialized syntax for representing judgments of the form i \^ g. Direct 
reasoning on these judgments is enabled by incorporating the derived rules of inference 
from Section [6.1.31 Case analysis on judgments of the form g in Abella corresponds to 
applying defC to underlying the seq judgment followed by applying defC to the resulting 
prog judgment. Trivial cases such as member E nil are handled automatically. Thus much 
of the overhead which is shown in the example is hidden when working with Abella. 

The monotonicity, instantiation, and cut-admissibility properties of the specification 
logic (Section 16. 2p are incorporated into Abella in the form of tactics. Moreover, the mono- 
tonicity property is incorporated into some other existing tactics since it seems to be used 
most often. For example, when determining if g implies i'\yg the system checks if £ is 
an obvious subset of i' . Such checks arise often, for example, when applying a lemma to 
hypotheses. 

Abella simulates strong induction on hH^ derivations using the technique shown in the 
example. In general, the induction tactic applied to a judgment of the form i\\-g is treated 
as strong induction on the underlying measure. This is approximated using the annotation 
based treatment of induction from Section [5.21 applied directly to specification judgments. 
This has the benefit of removing much of the tedious reasoning about natural numbers 
which would otherwise clutter a proof. As an example of this annotation based treatment, 
suppose we want to prove a formula of the form 



Vf. {l\^g) D F. 



6.5. ADEQUACY FOR THE TWO-LEVEL LOGIC APPROACH TO REASONING 76 



Then the induction scheme creates the following inductive hypothesis and goal, respectively: 

Vx. (^Ih^)* D F W. {£\\-g)® D F. 

Eventual case analysis on (i\\-g)® results in recursive judgments of the form (£'\\-g')* which 
are subject to the inductive hypothesis. The monotonicity and instantiation properties 
of the specification logic preserve the height of hH^ derivations, and thus tactics which 
implement them preserve induction annotations as well (since induction is being carried 
out on the underlying height measure). Finally, suppose we want to deal with mutual 
induction on specification judgments. For example, suppose we have a goal of the form 

(Vxi. ihW-gi) D Fi) A (Vx2. (^21^52) D ^2). 

We can perform induction on both of the specification judgments simultaneously by instead 
considering the following goal 

yn.natnD (Vfi. {hKgi) D Fi) A (Vx2. (^2l^n52) 13 F2), 

and performing induction on nat n. Once this new goal is proven, the original is an easy 
consequence. We extend the annotation based treatment of induction to treat this kind of 
mutual induction directly. Specifically, it creates the following two inductive hypotheses 

(Vxi. (^ilh^i)* D Fi) (Vf2. (^21^52)* D F2), 

and the goal becomes 

(Vfi. (^ilh^i)® D Fi) A (VX2. (^21^52)® D F2). 

The proof then proceeds as normal. When case analysis is performed on a judgment with 
a @ annotation, the recursive calls will have the * annotation and thus be candidates for 
either of the inductive hypotheses. 

6.5 Adequacy for the Two-level Logic Approach to Reasoning 

Adequacy within the framework based on the two-level logic approach to reasoning has 
three components: 

1. Our encoding of the object system into hH'^ must be adequate. 

2. Our encoding of hH^ into Q must be adequate. 

3. We must show that information about object system properties can be extract from 
theorems in Q via the two encodings. 
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The first component is particular to the object system of interest. For example, adequacy 
for the hH^ encoding of evaluation and typing for the simply-typed A-calculus was shown 
in Section [2.41 In the current section we are primary concerned with latter two components 
which deal with adequacy relative to Q. The second component is a general result about 
hH^ and its encoding in the predicate seq (we shall often call this simply "the adequacy 
of seq"). The proof of this result is carried out in the next subsection, and it never needs 
to be changed since hH^ and seq are fixed. The last component of adequacy is particular 
to the theorems of interest, and in Section [6.5.21 we show this adequacy for the example of 
type preservation for the simply-typed A-calculus. 

There is some difficulty in establishing adequacy relative to G. When we represent 
objects in G we usually denote bound variables using A-terms and free variables using 
nominal constants. Then, when we quantify over such objects, we are usually interested 
only in objects whose free variables are restricted to a particular set (e.g., we may care 
only about closed objects). The V and 3 quantifiers of Q, however, allow nominal constants 
to appear freely in the terms that instantiate them. There are two ways to address this 
mismatch (without modifying the logic Q). The first is to define an explicit typing of objects 
(e.g., through a predicate typeof L T A where L is a context of nominal constants), and 
to attach this typing judgment to all quantified variables. This is a very heavy approach 
and requires explicitly maintaining a context of which nominal constants are allowed to 
appear in objects. An alternative approach, and the one we use to establish the adequacy 
of seq in the next subsection, is to restrict the use of nominal constants in such a way 
that adequacy can still be established. How exactly this is done depends on the particular 
system of interest and how nominal constants are treated by it. In the case of seq we know 
that nominal constants can always be instantiated, thus the only restriction we need is that 
nominal constants are allowed only at inhabited types. 

6.5.1 Adequacy of Encoding of the Specification Logic 

We now show that our encoding of the specification logic hH^ in the definition of seq and 
prog is adequate. The critical aspect of this result is showing that theoremhood in the two 
systems is preserved under an appropriate mapping. 

Theorem 6.5.1. Let A be a list of closed D-formulas, C a list of atoms, G a G-formula, and 
S a set of eigenvariahles containing at least the free variables of IS., C, and Q. Suppose that 
all non-logical specification logic constants and types are represented by equivalent constants 
and types in Q. Suppose also that specification logic \/ -quantification (eigenvariahles) and 
meta-logic V -quantification (nominal constants) are allowed only at inhabited types. Then 
S : A, £ h G has a derivation in hH^ if and only if ip{C) Ih ip{G) is provable in Q with 
the clauses for nat, member, and seq as stated before and the clauses for prog as given by 
^(A). 

Proof. Note that in this proof we will desugar the representation of quantification and 
substitution in the specification logic. 
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Forward direction. Given a derivation of S : A,£ h G in hH'^, we will construct a 
proof of tp{C) Ih in Q. The construction uses structural induction on the hH^ derivation 
and proceeds by cases on the last rule used in the derivation. 



1. Suppose the derivation ends with ORi: 



ORi 



By the inductive hypothesis we know Ih ?/;(Gi) is provable in Q. Then we know 
^lJ{C)\\-'^p{Gl V G2) using the appropriate formula from Lemma 16.1.1 1 

2. Suppose the derivation ends with TRUE, OR2, AND, or AUGMENT: these cases are 
similar to the previous one. 

3. Suppose the derivation ends with GENERIC: 

J:,c: A,Ch G' c 
S : A, £ h VG' 



GENERIC 



By the inductive hypothesis we know 'ip{C)\\- ^{G' c) is provable in Q. We also know 
■0(G' c) = ip{G') ttc where Oc is a nominal constant not in ip{T,) (and therefore not 
occurring in ip{C) or ip{G')). Thus we know there is a proof of Vx.{ip{C) Ih {'4>{G') x)). 
Using the appropriate formula from Lemma 16.1.11 there must be a proof of tp{C) Ih 

4. Suppose the derivation ends with INSTANCE: 

E : A, /: h G' i 

:;7 INSTANCE 



S : A,/: h 3rG' 

By the inductive hypothesis we know ^/>(>C) Ih ^/'(G' t) is provable in Q. We also know 
iIj{G' t) = ip{G') ip{t). Using the appropriate formula from Lemma I6.1.H there must 
be a proof of ^(/:) lh3^(G'). 

5. Suppose the derivation ends with BACKCHAIN: 

S:A,/:hGif ■•• J::A,ChGmt 
S : A,£ h A 



BACKCHAIN 



where Vx.(Gi x D ■ ■ ■ D Gm x D A' G A, £ and A' t = A. We distinguish two cases 
based on whether the formula is in A or in 

(a) Suppose Vx.(Gi if D • • • D Gm 2; D ^' x) G A. Then we must have the following 
clause. 

Vx.prog x) (V'(Gi) X A • • • A ^{Gm) x) = T 
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By the inductive hypothesis we have a proof of V'(^) ll" i^{Gi for each i € 
{1, . . . ,m}. By repeatedly using the appropriate formula from Lemma 16.1.11 we 
can construct a proof of ip{C) Ih {^{Gi t) A • • • A ip{Gm t)), which we can write 

as V(>C)lh(V'(Gi) ^) A • • • A V'(G'm) VK^))- Finally we know tl;{A) = iP{A' i) = 
> 

i^it). Thus we know 3b.prog il^{A) b A {^jj{C)\\-b) and we can construct a 
proof of i;{C)\^{i;{ A)). 

(b) Suppose V5f.(Gi 5; D • • • D G-m x D ^1' x) € £. Since C contains only atoms we 
must have A = A' and thus A £ C. Then member ^l^{A) ip{C) is provable and 
thus so is V(>C)!h(V'(^)). 

Backward direction. It suffices to show if nat {s n) and seq^^ „•) ^{C) ip{G) have 
cut-free proofs in Q, then we can construct a derivation of T, : A, C h G in hH^ for any S 
which contains at least the eigenvariables of C and G. The proof is by induction on the 
natural number denoted by {s n) (which we know is a natural number since nat {s n) has 
a proof). This proof will always end with defRP (or can be seen to) and we will consider 
cases based on the definitional clause used in this rule. 

1. The cases for the first five clauses of seq are all similar and thus we will consider just 
one instance. Suppose the cut-free proof ends with, 

— ' seqn V'(Gi) 

aeiJZP 



-^seq^, (^(^1)^(^2)) 

By the inductive hypothesis we know there is a derivation of T, : A, C \- Gi and we 
can construct the following. 



2. Suppose the cut-free proof ends with, 

seq^ ^{C) (^(G') a) 



ORi 



V7^ 



Vx.seq^ V;(/:) {^PiG') x) 

Since ^{G') a = ^{G' ha) we know from the inductive hypothesis that there is a 
derivation of S, /i^ : A, £ h G' ha. Thus we can construct the following. 

E,ha : A,ChG' ha 



S : A, £ h VG' 



GENERIC 



3. Suppose the cut-free proof ends with, 

C, /C h t : T — > seq„ i;{C) (V'(G') t) 



BrX.seq^ jjjC) {'4){G') x) 
> seq(, „) V(^) i^MG')) "^'"^ 



3n 
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Now t may contain any nominal constants and therefore t' = ijj^'^ (t) may contain eigen- 
variables not in S. Thus when we apply the inductive hypothesis to seq^ V'('C) V'(C t') 
we get a derivation of E' : A, £ h G' t' where S' may contain additional eigenvari- 
ables. To reconcile this, we use the restriction that eigenvariables are allowed only at 
inhabited types. For each eigenvariable in t' and not in E, we select an inhabitant of 
the corresponding type and substitute it for the eigenvariable using the instantiation 
property of hH'^. Since these eigenvariables do not occur in E, they also do not occur 
in £ or G and therefore the instantiations affect only t'. Thus the result of all these 
instantiations is a derivation of E : A, £ h G' t" for some t". Then we can construct 
the following. 

E : A, £ h G' t" 
E:A,£h3G- INSTANCE 

4. Suppose the cut-free proof ends with, 

— > member A) ip{C) 



defRP 



— ' seq(s n) V'(^) (V'(^)> 
Then it must be that A e £., and so we can construct the following. 

E:A,£h^ BACKCHAIN 

5. Suppose the cut-free proofs ends with, 



defRP 

^progi;{A) b — » seq^ Tp{C) b 



prog il^{A) b A scq„ xb{C) b 

■ 3h.]')r()p, v(A) h A sen,, I'iC) b 

— " ^ ' defRP 

— ^ seq^s n) HQ {''PiA)) 



for some instantiation of b. Suppose also that prog ip{A) b holds by matching with 
some clause, 

W.prog {tj;{A') x) (V'(Gi) f A ■ ■ ■ A ^{Gm) S) ^ T. 

Then we know Vx.(Gi x D ■•■ D Gm x D A' x) £ A. From matching with the 
prog clause we know there exists t such that V(^) = so let s = 

Then b is ipiGi s ) A • • • A '4>{Gm s) and we have proofs of seq„ V'(^) "^{Gi s) for each 
z G {1, . . . , m}. By the inductive hypothesis we have derivations of E' : A, £ h Gj s 
where E' contains the eigenvariables of £, Gi , . . . , Gm, and s. Note that as was the case 
for the scq rule governing the existential quantifier, E' may contain some eigenvariables 
from s which do not occur in E. As with that case, we can use the restriction on 
specification logic eigenvariables to instantiate all such eigenvariables with inhabitants 
therefore yielding derivations E : A, £ h Gj r where r is the result of the instantiations 
on s. Finally, we know A = A' s but we need to know A = A' r. Note that A' contains 
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no eigenvariables and the eigenvariables of A are a subset of S, thus the eigenvariables 
in s but not in S play no role in the equality A = A' s. Therefore instantiating those 
eigenvariables does not change the equality and we have A = A' r. Thus we can 
construct the following. 

S : A, £ h Gi\r/x\ ■■■ S : A, £ h Gm[f/f] 

^ ^ BACKCHAIN ^ 



Note that this theorem restricts the definitions of the predicates nat, member, seq, 
and prog, but makes no explicit reference to other predicates. Indeed, the definitions of 
other predicates have no affect on the adequacy of the encoding of the specification logic. 
Additionally, Q may make use of additional constants and types which are unconnected 
to the constants and types used to represent the specification logic without affecting the 
adequacy of the encoding. 

Another point of interest is the following condition of the previous theorem: specifica- 
tion logic V-quantification and meta-logic V-quantification are allowed only at inhabited 
types. This condition arises because we have chosen to do a shallow encoding of the typing 
judgment of the specification logic. That is, rather than encode an explicit typing judg- 
ment for specification logic terms, we have instead relied on the typing judgment of Q to 
enforce the well-formedness of terms. Due to the lack of restrictions on the occurrences of 
nominal constants, the typing judgment in Q is more permissive than the specification logic 
typing. As the previous theorem shows, however, this difference only manifests itself for 
uninhabited types. A deeper encoding involving an explicit typing judgment would avoid 
this condition, but would also impose some overhead additional costs in terms of reasoning 
about and through the encoding. We find the shallow encoding to be a good balance in 
practice. 



6.5.2 Adequacy of Type Preservation Example 

We can now use our adequacy results to extract a proof of type preservation for the simply- 
typed A-calculus from the proof of its encoding in Q. 

Theorem 6.5.2. If t ij. v and \- t : a then \- v : a. 

Proof. Suppose t ij. v and h t : a, then by the adequacy results in Section 12.41 we know 
that A h evai (j){t) 0(f) and A h of (j){t) (f){a) have derivations in hH^ where (p is the 
bijection between the object language and its specification logic representation and A is 
the specification of evai and of. By Theorem 16.5.11 we know Ih {eval ip{(l){t)) 'ilj{(p{v))) 
and Ih (of Tp{(j){t)) ip{(j){v))) have proofs in Q. Using these proofs and the proof of the 
formula in Theorem 16.3.11 together with various rules of G (notably the cut rule), we can 
construct a proof of Ih (of 'ijj{(f){v)) 'ilj{(p{a))) in Q. Then using the backwards direction of 
Theorem 16.5.11 we know A h of <p{v) 4>{a) has a derivation in hH^, and using adequacy 
results from Section 12.41 we find that h v : a must hold. □ 



Chapter 7 



Applications of The Framework 



In this chapter we consider various appUcations of the proposed framework, focusing mainly 
on the reasoning component. The purpose of these apphcations is illustrate both the 
strengths and the weaknesses of the framework. From this perspective, we are interested in 
the quality of the encodings and associated reasoning, e.g., properties such as naturalness, 
expressiveness, complexity, and overhead. We will try to expose and highlight these traits 
in this chapter. 

We begin in Section mi with a proof of type uniqueness for the simply- typed A-calculus 
which provides a simple example of how judgment contexts and the related variable freshness 
information is handled in the framework. In Section 17.21 we present a solution to part of the 
POPLmark challenge |ABF"'"05 which demonstrates the more sophisticated inductive rea- 



soning that is possible within Q. Section [7.31 contains an example of proving the equivalence 
of A-terms based on the set of paths they contain, and shows how easily the framework han- 
dles formulas with a more sophisticated quantification structure. In Section [7.41 we describe 
a translation between higher-order abstract syntax and de Bruijn notation for A-terms, and 
we show that this translation is deterministic in both directions. This example highlights a 
more expressive use of dehnitions to describe the structure of judgment contexts. Finally, 
in Section 17.51 we show how Girard's proof of strong normalization for the simply-typed 
A-calculus can be encoded. This is by far the largest application in this chapter, and it uses 
many of the features highlighted by previous examples as well as introducing new ones such 
as a way of dealing with an arbitrary number of substitutions applied to a term. 

There have been many other applications of the reasoning component of our framework 
that we do not discuss explicitly in this thesis. These include the following. 

• Properties of big and small step evaluation and typing in the simply-typed A-calculus 

• Translation among combinatory logic, natural deduction, and sequent calculus 

• Soundness and completeness for a focused sequent calculus 

• Cut-admissibility for LJ 

• Takahashi's proof of the Church-Rosser theorem 

• Properties of bi-simulation in CCS and the vr-calculus 

• Tait's argument for weak normalization of the simply- typed A-calculus [GMN08b| . 

• The substitution theorem for Canonical LF. 
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All of the applications mentioned above and the ones presented in this chapter are available 
on the Abella website |Gac09j . We note that some of these examples have been developed 
by other researchers. Randy Pollack contributed the formalization of the Church-Rosser 
result. The formalization of the substitution theorem for Canonical LF was contributed 
by Todd Wilson and is the largest development done in Abella to date. This development 
includes two sophisticated results: one which uses a triply nested induction where the inner- 
most induction is an eight-way mutual induction and another which uses a doubly nested 
induction with an outer strong induction and an inner three-way mutual induction. The 
richness and elegance of this development serves as a powerful example of the expressivity 
of Abella. 

Finally, before we proceed to the examples we establish a few common items and conven- 
tions which simplify the presentation. First, in specification formulas we elide the outermost 
universal quantifiers and assume that tokens given by capital letters denote variables that 
are implicitly universally quantified over the entire formula. Second, for judgments of the 
form (L Ih (A)) we write simply {L\\- A) since we will only ever display this with atomic 
formulas on the right of the judgment. We assume the following definition of name (with 
appropriate type based on the application): 



We will use the following result about the (non)occurrences of nominal constants in lists: 

\/L,E.Vx. member {E x) L D 3E'. {E = Xy.E'). 

This says that if an element of a list depends on a nominal constant and the list itself does 
not, then the element's dependency must be vacuous. The proof is by induction on the 
member hypothesis. We will leave out the details of most proofs except to note the uses of 
induction or the particularly interesting cases. Also, we will freely and implicitly make use 
of the properties of the specification logic. 

7.1 Type-uniqueness for the Simply-typed A-calculus 

The type of a A-term in the simply-typed A-calculus is unique. Proving this type unique- 
ness property requires reasoning inductively about typing judgments which, in turn, requires 
generalizing the context in which typing judgments are made. We can encode such argu- 
ments directly in our framework so long as we can describe the structure of the judgment 
contexts. Such descriptions can be naturally expressed using nominal abstraction and, in 
fact, this is the most common use of nominal abstraction. Thus, we use the present exam- 
ple to demonstrate how nominal abstraction can be used in this way and to point out the 
related lemmas that often go along with such descriptions. 

We will use the specification of the simply-typed A-calculus developed thus far in the 
thesis (Section 12. 3p . Relative to this, we can formally state type uniqueness as 




yE,Ti,T2. (Ihof^Ti) D (Ihof^Ts) D (Ti =T2). 
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ctx nil = T 

ctx {ofX A:: L)^ (VM, N. X = app M N D ±) A 
{yR,B. X = absB Rd ±)A 
(VS. member {of X B) L D ±) A 
ctx L 

Figure 7.1: Potential ctx definition without nominal abstraction 

Suppose we try to prove this directly by induction on one of the typing judgments. Then, 
when we consider the case where E is an abstraction, the typing context will grow which 
means the inductive hypothesis will not be able to apply. Instead, we need to generalize 
the statement of type uniqueness to the following. 

yL,E,Ti,T2. ctxLD {LhofETi) D {L\'ro{ET2) D (Ti = Ta). 

Where ctx is a definition which restricts L so that the formula is provable. In particular, 
ctx L should enforce that L has the structure {xi,Ai) :: ... :: A„) :: nil where each 
Xi is atomic and unique. In the logics which preceded G, these atomicity and uniqueness 
properties could not be directly described and instead one needed to encode them by ex- 
plicitly excluding the other possibilities as shown in Figure 17.11 However, using nominal 
abstraction we define ctx as 

ctx nil = T (Vx.ctx (of x A :: L)) = ctx L. 

Note that in (of x A :: L), the atomicity of x is enforced by it being V quantified while 
the uniqueness is enforced by L being quantified outside the scope of x. Had we wanted to 
allow X to occur later in the context we could have written (L x) in place of L. 

The definition of ctx enforces atomicity and uniqueness properties for the first element 
of the context and then calls itself recursively on the remaining portion of the context. 
Thus, to know that an arbitrary element of the context has the atomicity and uniqueness 
properties requires inductive reasoning. We state these properties in the following two 
lemmas. 

VL, X, A. ctx L D member {of X A) L name X 

VL, X, Ai,A2. ctx L D member {of X Ai) L D member {of X A2) D {Ai = A2) 

Both of these lemmas have direct proofs using induction on one of the member hypotheses. 

With the above lemmas in place, the rest of the type uniqueness proof is straightfor- 
ward. There is an interesting point to be noted here, though, concerning the treatment 
of abstractions, i.e., when considering the typing in the context L of a A-term of the form 
abs A R. The use of a universal quantifier in the specification of typing in this case and the 
interpretation in the meta-logic of such universal quantifiers via V-quantifiers ensures that 
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the typing of R will be done in a context given hy of x A :: L where x is a nominal constant 
not appearing in L. In the type uniqueness proof, we will need to show that this extended 
typing context is well-formed. This is done by showing that ctx (of x A :: L) follows from 
ctx L which is clear based on the definition of ctx and the way x was introduced in the 
typing process. If a definition such as in Figure [7?T] were used, this argument would be more 
complicated. 



7.2 The POPLmark Challenge 

The POPLmark challenge is a call to researchers to develop tools and methodologies 
for animating and for reasoning about systems with binding [ABF"'"05 . The particu- 



lar challenge proposed focuses on System F<: , a polymorphic A-calculus with subtyping 
|CMMS94l ICG94j . This challenge is of interest to us primarily because it provides a com- 
mon benchmark on which various frameworks may be compared. In addition, some of the 
reasoning required for this problem illustrates the sophistication and naturalness of the 
reasoning tools available in our framework. 

The POPLmark challenge consists of three challenge problems which focus on 1) the type 
system, 2) evaluation, type preservation, and progress, and 3) animation. In this section 
we explain the solution to the first challenge problem which requires sophisticated induc- 
tion schemes and some reasoning about binding structure. The second challenge problem 
requires a significant amount of reasoning about binding structure, but since we take bind- 
ing as fundamental in our framework, this challenge problem is straightforward and fairly 
mundane in our framework (the development is available on the Abella website). Finally, 
the last challenge problem could be addressed through an animation system for AProlog, 
but we do not explore this in this section. The first and second challenge problems also 
have an additional component that asks for proofs to be repeated for System F<- extended 
with records and patterns. This extension requires a significant amount of additional work 
without providing much additional insight in the framework, and thus we do not pursue 
this extension. 

The first POPLmark challenge problem focuses on the type system of System F<- . In 
particular, given an algorithmic presentation of the subtyping rules for System F<: , the 
challenge asks one to show that the subtyping relation is reflexive and transitive, the key 
results needed to show equivalence between the algorithmic and declarative descriptions of 
subtyping. Refiexivity turns out to be straightforward, while transitivity requires sophisti- 
cated inductive reasoning. In the rest of this section we focus on the proof of transitivity. 

Types and typing contexts in System F<- are described by the following grammars. 

T ::= X [ Top I T ^ T I VX<:T. T 
r ::= I T,X<:T 



Here X denotes a variable occurrence, and VX<:Ti. T2 denotes that the variable X is bound 
within the scope of T2 (but not in the scope of Ti). In T,X<:T it is assumed that X does 
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T\- S <: Top 



(SA-Top) 



T\- X <: X 



(SA-Refl-TVar) 



X<:U €T ThU <: T 
Th X <: T 



(SA-Trans-TVar) 



r h Ti <: r h 52 <: ^2 
r h 5i ^ ^2 <: Ti ^ T2 



(SA-Arrow) 



r h Ti <: Si r, X<:Ti h S2 <: T2 
r h (VX<:Si. ^2) <: {yX<:Ti. T2) 



(SA-All) 



Figure 7.2: Algorithmic sub typing rules for System F<- 



not occur in T. The algorithmic subtyping relation of System F<- is denoted by F h <: T, 
and is defined by the rules in Figure 17. 2i 

The challenge problem is to prove that the subtyping relation is transitive: if F h S <: Q 
and T \- Q <: T then F h S" <: T. The proof of this property requires another result called 
narrowing to be proved simultaneously: if F,X<:Q, A h M <: N and F h P <: Q then 
T,X<:P,A \- M <: N. The proof of these two properties requires a mutual induction on 
the structure of the type Q. Within this induction the transitivity property is proved by 
induction on the structure of F h S <: Q and it uses the narrowing property for structurally 
smaller types Q. The narrowing property is proved by an inner induction on the structure 
of F, X<: Q,A\-M<: N and uses the transitivity property for the type Q. With the proper 
induction schemes as described, the details of the proof are straightforward. 

To formalize System F<- types we introduce the type ty and the following constants. 



Typing contexts will be represented using the context of specification logic judgments. We 
introduce the constant bound : ty ^ ty ^ o for representing individual type bindings within 
that context. 

We encode subtyping rules of System F<- as specification logic formulas concerning the 
constant sub : ty ^ ty ^ o as presented in Figure 17.31 Note that we do not explicitly 
represent the typing context, but instead make assumptions of the form bound X T to 
denote a typing assumption of X<:T. Also, in the formal rules SA-Refl-TVar and SA- 
Trans-TVar the variable X represents only type variables while our translation of these 
rules do not directly enforce this constraint. Instead, our translations require that any such 
X satisfy a hound X U judgment for some U. Since we only make such judgments for X 
which denotes a type variable, our encoding remains adequate. 

To reason about subtyping we first formalize the notion that a typing context is well- 
formed. Strictly speaking, a context is well-formed if it is either or T,X<:T where X is 



top : ty 



arrow : ty ^ ty ^ ty 



all : ty {ty ty) ty 
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suh S top 

bound X U D sub X X 

bound XUDsubUTDsubXT 

sub Ti Si D sub S2 T2 D sub {arrow Si S2) {arrow Ti T2) 

sub Ti Si D {yx.bound x Ti D sub {S2 x) {T2 x)) D sub {all Si S2) {all Ti T2) 

Figure 7.3: Specification of algorithmic subtyping for System F<; 

a variable which does not occur in T. For reasons we discuss later, we deliberately weaken 
this notion and require only that X is a variable. We recognized such well-formed contexts 
with the following definition. 

cte nil = T cte {bound X U :: L) = name X A ctx L 

We also prove the following associated lemma. 

V^;, L. ctxLD member ELD 3X, U. {E = bound X U) A name X 

This is proved by a simple induction on the member hypothesis. 

The logic Q allows for induction only on definitions and not on terms. Thus to induct 
on the structure of a System F<- type we must create a definition which recognizes such 
types. We define a predicate wfty : ty ^ as follows. 

wfty top = T 
{Vx.wftyx) = T 
wfty {arrow T1T2) = wfty Ti A wfty T2 

wfty {all Ti T2) = wfty Ti A Vx.wfty {T2 x) 

Induction on wfty Q will correspond to structural induction on the type Q as needed. 
Note that we could impose additional well-formedness constraints which restrict variable 
occurrences relative to some context of type variables, but such restrictions are unnecessary 
for the proof at hand. 

We can state the combined transitivity and narrowing property as follows. 

VQ. wfty Q D 

(VL,S,r. ctxLD {L\\-subSQ) D {L\\-subQT) D {L\^ sub ST)) A 
{'iL,P,X,M,N. ctx {bound X Q :: L) D {L\\-subPQ) D 

{bound X Q :: L\\- sub M N) D {bound X P :: L\^ sub M N)) 
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Xx 



@ 




X Xy 



y 

Figure 7.4: Tree form of Xx.{x{Xy.y)) 

The proof is by an outer induction on wfty Q. To prove the inner conjunction we use the 
following derived rule of Q. 

r — >B T,B — >C 
■ AT?* 

r — >BAC '^'^ 

This rule is clearly admissible using cut and /\TZ. We use this rule with B as the transitivity 
result for the type Q and C as the narrowing result for the type Q. Thus this rule allows us to 
use the transitivity result for the type Q while proving the corresponding narrowing result. 
Once this is applied we can prove transitivity using a further induction on (LIh sub S Q) 
and narrowing using a further induction on (hound X Q :: LIh sub M N). The reasoning 
which remains is straightforward. 

Notice that in the original statement of narrowing, the distinguished typing assumption 
X<:Q is taken from the middle of the typing context, while in our formalized statement 
we consider the assumption hound X Q only at the front. By formalizing narrowing in 
this way, we greatly simplify the associated reasoning {e.g., we do not need to talk about 
appending contexts as we would with a direct statement). The cost is that when we add 
other elements to the context, we must show that the distinguished binding can always 
be moved to the front. This is possible since we have weakened the ctx judgment to not 
contain any freshness information, and therefore no ordering information. Since freshness 
information is not relevant to the transitivity and narrowing results, there is no cost to 
leaving this information out. To establish adequacy, we can use a more precise description 
of typing contexts and still make use of these results proved for the looser description. 

7.3 Path Equivalence for A-terms 

We can characterize A-terms by means of their paths, where a path formalizes the idea of 
descending through the abstract syntax tree of a term. For example, the tree for the A-term 
Xx.{x{Xy.y)) is shown in Figure [713] has has two paths: 
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term M D term N D term (app M A^) 
(\/x.term x D term {R x)) D term (ahs R) 

path M Pd path {app M N) {left P) 
path N Pd path {app M N) {right P) 

{\/x.\/p.path X p D path {R x) {S p)) D path {abs R) {bnd S) 

Figure 7.5: Specification of paths through A-terms 

1. descend through the binder for x, go left at the appUcation, stop at x, and 

2. descend through the binder for x, go right at the appUcation, descend through the 
binder for y, stop at y 

Our goal is section is to show that if two A-terms share all the same paths, then the terms 
must be equal. We call this the path equivalence property. 

We are interested in the path equivalence property since it expresses a model checking- 
like property over terms with binding structure. This type of property is difficult or im- 
possible to formalize in competing frameworks like Twelf |PS99j since expressing the hypo- 
thetical property that two A-terms have all the same paths requires a sufficiently rich logic. 
However, in our framework, we find that this property can be stated and reasoned about 
directly. Also, this application illustrates how we can use definitions to describe the struc- 
ture of multiple judgment contexts which have related structure. Finally, a complication in 
this application demonstrates the need for occasional vacuity properties to be established 
regarding the occurrences of nominal constants in terms. 

We introduce a type tm for untyped A-terms and pt for paths together with the following 
constructors. 

app : tm — > tm — > tm abs : {tm tm) — > tm 

left : pt ^ pt right : pt ^ pt bnd : {pt pt) — > pt 

We then introduce the predicates term : tm — > o and path : tm —> pt o defined by the 
specification logic formulas in Figure 17.51 

Given this description of paths through A-terms we can state the path equivalence 
property as follows. 

VM, N. (Ih term M) D (VP. {\hpath M P) D (Ihpatii N P)) D {M = N) 

Note that we have added the explicit assumption (Ih term M) so that we can induct on 
the structure of M. Also, we have stated only that the paths in M are also in A^, but not 
vice-versa. It turns out that this weaker property is sufficient to prove the result. 
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Before we can proceed with the proof of the above statement, we need to strengthen 
it. In particular, when M is an abstraction we need to consider how the contexts for the 
term and path judgments will grow. This is done with the following definition of ctxs which 
describes not only how each context grows, but how the two contexts are related. 

ctxs nil nil = T (Vx.Vp.ctxs (term x :: L) {path x p :: K)) = ctxs L K 

Along with this definition, we need the following lemmas which allow us to extract infor- 
mation about a term based on its membership in one of the contexts described by ctxs. 

VX, L, K. ctxs L K D member (term X) L D 

name X A 3P. member (path X P) K 
VX, P,L,K. ctxs L K Z) member {path X P) K Z) name X A name P 

The proofs of both lemma are by straightforward induction on the member hypotheses. 
We can state the strengthened equivalence property as follows. 

VL, if, M, N. ctxs LKd {L\\- term M) D 

(VP. {K\\-path M P)D {Kl^path N P)) D {M = N) 

The proof of this statement is by induction on {L\\-term M). In the base case we need the 
following lemma which is proved by induction one of the member hypotheses. 

VL, K, Xi,X2, P. ctxs LKd 

member {path Xi P) K Z) member {path X2 P) K Z) {Xi = X2) 

In the other cases of the proof, we need to show that the top-level constructor of M is 
also the top-level constructor for A''. We do by finding a path through M and using the 
hypothesis that M and N share the same paths to find the same path in N. The top-level 
constructor of that path will determine the top-level constructors of M and N. However, 
this requires that we can always find a path through a term which we formalize this as the 
following lemma. 

VL, K, M, P. ctxs LKd{L\\- term M) D 3P. {Khpath M P) 

The proof of this lemma is by induction on {LWterm M). 

There is one last complication in the proof of path equivalence which comes from the 
inductive case concerning abstractions. Suppose M = abs R and N = abs R'. Here we 
know 

VP. {Kl^path {abs R) P) D {Kl^path {abs R!) P) 
but in order to use the inductive hypothesis we must show 

VP. {path xp:: Kl^path {R x) P) D {path x p :: K\\-path {R' x) P) 
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where x and p are nominal constants. Now the problem is that when we go to prove this 
latter formula, the V7^ rule says that we must replace Phy P' x p for some new eigenvariable 
P'. Note that P' is raised over both x and p even though the dependency on x must be 
vacuous. We must prove this vacuity to finish this case of the proof, and thus we need the 
following lemma. 

\fK,M,P.Vx,p. {pathxp:: Khpath (M x) {P x p)) D 3P'.{P = Xz.P') 

This is proved by induction on the path judgment. With this issue resolved, the rest of the 
path equivalence proof is straightforward. 

As we have seen, the path equivalence property is expressed naturally in our framework 
through the use of a formula with a nested universal quantifier and implication. We briefly 
discuss the adequacy considerations regarding such a formula. The goal is to use the 
path equivalence property proven in Q in order to prove the path equivalence property for 
the object system. To do this, we need to show that the hypotheses we have about the 
object system imply that there are proofs in Q of the corresponding hypotheses for the 
formalization of the path equivalence problem; if we can show this, then we will obtain the 
desired result by using the bijectivity of the mappings for terms. Looking more carefully at 
the hypothesis, we see that the main concern is showing that if every path in a A-term m 
is a path in another A-term n then the following is provable in Q: 

VP. {Wpath tpi^im)) P) D (Ihpatii ^(0(n)) P) (7.1) 

Here is the bijection between object terms and their speciflcation logic representations, 
and '0 is the bijection between specification logic terms and their meta-logic representations. 

To complete this discussion, we provide a sketch of how a proof of (jT.ip might be con- 
structed. We start with the knowledge that every path in m is a path in n. Then, assuming 
that the specification of path is adequate, we know that whenever A h path (j){m) 
has an hH^ derivation, it must be that A h path 4>{n) (j){p) also has an hH^ derivation 
where A is the specification of path and term. By the adequacy of seq established in The- 
orem [631T1 we know that whenever \\- path ■i/;((/)(m)) ip{<p{p)) is provable in t/, it must be 
that Ihpatii ^{4>{n)) ip{4>{p)) is also provable in Q. We will use this knowledge shortly. Now 
to prove (|7.ip in Q we start by applying the V7^ and ^TZ rules. Then we repeatedly apply 
appropriate left rules starting with the assumption Ihpatii il){(j){m)) P. Since ip{(j){m)) has 
no eigenvariables and patii always deconstructs its first argument, this repeated application 
of left rules can be made to result only in sequents with no formulas on the left and where 
P is instantiated with a term such that Ihpatii ip{(p{m)) P is provable in Q. Now using our 
knowledge from before and the assumption that (p and ip are bijections, it must be that 
Ihpatii ip{(t){n)) P is provable in Q. This is exactly the form of the right side of each of the 
sequents which results from the repeated application of left rules. Thus each such sequent 
must be provable, and therefore (jT.ip must also be provable in Q. 
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add zCC. 

addABCD add (s A) B (s C) 

ho2db M D M' D ho2db N D N' D ho2dh (app M N) D {dapp M' N') 

depth X Dx D add Dx X' D D ho2db X D {dvar X' ) 

{yx.depth X Dd ho2db {R x) {s D) R') D ho2db {abs R) D (abs R') 

Figure 7.6: Specification of translation between HOAS and de Bruijn notation 

7.4 Conversion between HOAS and de Bruijn Notation 

De Bruijn notation is a first-order representation of binding wliich uses numeric indices 
to associate variable occurrences with their binders. More precisely, the index denoting 
a variable occurrence corresponds the number of abstractions between the occurrence and 
its binder. In this section we describe a translation between higher-order abstract syntax 
representation and de Bruijn notation for untyped A-terms, and we prove that this transla- 
tion is deterministic in both directions. This example highlights the use of a definition for 
describing a context which carries more than just variable freshness information. 

We start by introducing the type tm for the higher-order abstract syntax representation 
of untyped A-terms with the constructors app : tm — > tm — > tm and abs : {tm tm) tm. 
For natural numbers we use the type nt with constructors z : nt and s : nt ^ nt. Finally, 
for de Bruijn notation terms we introduce the type db with the following constructors. 

dabs : db ^ db dapp : db ^ db ^ db dvar : nt ^ db 

We translate from higher-order abstract syntax to de Bruijn notation as follows. We 
walk over the structure of the term keeping track of the number of abstractions we have 
descended through. Whenever we come to an abstraction we use the context to record a 
new variable for that abstraction and the abstraction depth at which it was encountered. 
When we encounter a variable occurrence, we subtract the current abstraction depth from 
the corresponding depth in the context to determine the index for that variable occurrence. 
Using the predicates add : nt ^ nt ^ nt ^ o, depth : tm nt ^ o, and ho2db : tm — > 
nt ^ db ^ o, the specification of the translation is presented in Figure 17.61 

Now there is a derivation of ho2db M z M' if and only if M is a higher-order abstract 
syntax representation of the de Bruijn notation term M'. Moreover, note that the trans- 
lation is symmetric: we could start with either M or M' and construct a derivation of 
ho2db M z M' to determine a value for the other. 

Now we want to show that the above translation is deterministic in both directions. In 
doing this, we will need to make certain properties of natural numbers explicit. For this we 
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make use of the following two definitions. 

natz^T leAA^T 
nat (s A) ^ nat A le A {s B) = le A B 

Along with these we prove the following arithmetic properties by straightforward induction. 

VA, B. le{s A) Bd leAB 
VA. nat Ad le{s A) Ad ± 
yA,B,C. {l^addAB C) D le B C 

\/Ai,A2,B,C. nat CD (lhadd B C) D (Ihadd^s B C) D {Ai = A2) 
yA,Bi,B2,C. {l^addABi C) D (IhaddA^s C) D {Bi = B2) 

Note that we have made the assumption nat explicit in some of these to provide a target 
for induction. 

Derivations of ho2db will construct contexts of the form 

depth Xn (s" z) :: ... :: depth X2 {s {s z)) :: depth xi {s z) :: depth xq z :: nil 

where each Xi is unique. Moreover, the numbers associated with each Xj will also be 
unique since they are sequential. Each of these uniqueness properties will be needed to 
show determinacy for one or the other direction of the translation. We can describe these 
contexts with the following definition. 

dctx nil z = T {Vx.dctx {depth x D :: L) (s D)) = dctx L D 

The corresponding lemma for dctx is as follows 

^E, L, D. dctx L Dd member E Ld 3X, Dx- {E = depth X Dx) A name X 

The proof is by induction on the member judgment. One complication related to contexts 
arises when we call add from within ho2db: the add judgments inherits the context from 
ho2db. This is a problem since all of our lemmas about add assume that it has an empty 
context. We can fix this by proving the following lemma. 

yL,D,A,B,C. dctxLDD {Ll\-addABC) D {\^ add ABC) 

This is proved by a simple induction on the add judgment. 

Now let us consider the determinacy proof going from higher-order abstract syntax to 
de Bruijn notation. For this, we need the following lemma which says that each variable in 
the context has a unique index associated with it. 

yL,D,X,Di,D2. dctxLD D 

member (depth X Di) L D member (depth X D2) L D (Di = D2) 
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This is proved by a straightforward induction on one of the member hypotheses. Then we 
can prove the generahzed determinacy result: 

VL, M, M[,M2, D. dctx L Dd 

{L\^ho2db M D M[) D {L\^ho2db M D M^) D {M[ = M^). 

This is proved by induction on one of the ho2db judgments. We then apply this general- 
ization with L = nil and D = z to get the specific determinacy result we care about. 

To prove determinacy in the other direction we need a lemma which says that each 
index in the context has a unique variable associated with it. We can state this as 

yL,D,Xi,X2,Dx. dctxLD D 

member {depth Xi Dx) L D member {depth X2 Dx) L D {Xi = X2). 

This is proved by induction on one of the member hypotheses, however we need an addi- 
tional result about the restrictions on indices in the context for the proof to go through. 
Specifically, the following lemma is required. 

VL, D, Dx,X. dctx LDd member {depth X Dx) L D le D Dx ::> -L 

This is proved by induction on the member hypothesis and in turn requires the following 
result which follows by a simple induction. 

VL, D. dctx L D D nat D 

With these lemmas in place, the generalized determinacy result is as follows. 

VL, Ml, M2, L>, M'. dctx L Dd 

{Lhho2db Ml D M') D {L\^ho2db M2 D M') D (Mi = M2) 

This is now proved by straightforward induction on one of the ho2db hypotheses, and again 
we can substitution L = nil and L* = 2: to obtain the specialized result. 

7.5 Formalizing Tait-Style Proofs for Strong Normalization 

Tait introduced the idea of a logical relation and showed how this could be used to pro- 
vide an elegant proof of the strong normalization property for the typed A-calculus |Tai67] . 
Girard subsequently generalized this idea to obtain a strong normalization result for the 
computationally much richer second-order A-calculus or System F [Gir72| . This style of ar- 
gument has both an elegance and a sophistication that would be interesting to see captured 
in formalizations. We show in this section that our framework is up to the task by consid- 
ering an encoding of the argument for the simply typed A-calculus drawn from |GTL89j . 
One note, however, is that the strong normalization argument requires a definition for a 
logical relation which does not satisfy our current stratification restriction. We strongly 
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typei 

type A D type B D type {arrow A B) 

ofM {arrow A B) D of N A D of {app M N) B 

type A D (Vx.of x Az^ of {R x) B) Z) of {ahs A R) {arrow A B) 

type Ad of c A 

step M M' D step {app M N) {app M' N) 

step N N' D step {app M N) {app M N') 

step {app {abs A R) M) {R M) 

(yx.step {R x) {R' x)) D step {abs A R) {abs A R') 

Figure 7.7: Specification of typing and one-step reduction 

believe that the stratification condition on definitions in Q could be weakened to allow 
this definition while preserving cut-elimination, but at present we have no corresponding 
cut-elimination proof. 

To encode the simply-typed A-calculus we use the familiar types ty and tm along with 
their constructors i, arrow, app, and abs. In Girard's argument he assumes that we are 
always working with open terms and can therefore always select a free variable at any type. 
Rather than explicitly representing this style of reasoning, we opt to introduce a constant 
c : tm which we allow to take on any type. This does not impair the adequacy of our final 
result: if a term does not contain c then none of the terms it reduces to will contain it, and 
therefore c has no effect on normalization. The specification of typing (of : tm ty a) 
and one-step reduction {step : tm — > tm a) is given in Figure 17. 7[ The specification 
includes a predicate a predicate type : ty ^ o to recognize types, which we use in the 
abstraction typing rule since this will be needed for later arguments. Also, we add a typing 
clause for c to allow it to take on any type. 

Strong normalization says that all reduction paths eventually terminate. We can suc- 
cinctly encode this property in the following definition. 

snM = VM'. (Ih step M M') D sn M' 

Note that there is no explicit base case for sn, but if M has no reductions then (Ih step M M') 
will be impossible and therefore sn M will hold. Also, we will see that structural induction 
on the definition of sn corresponds to induction on the structure of the possible reductions 
from a term. The adequacy of sn can be established in the same manner as adequacy for 
the path equivalence application (Section 17. 3p . We can now state the goal of this section: 



MM, A. {WofM A)DsnM 
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The rest of this section describes definitions and lemmas necessary to prove this formula. 

7.5.1 Typing and One-step Reduction 

In order to reason about typing judgments, we need to make explicit the structure of the 
contexts of such judgments. They are described by the following definition. 

ctx nil = T (Vx.ctx (of x A :: L)) = (Ih type A) A ctx L 

We then prove the corresponding lemma about context membership: 

ME, L. ctx L D memher ELD 3X, A. {E = of X A) A name X A (Ih type A) 

The proof is by induction the the member hypothesis. Another auxiliary lemma we need 
about typing says that we can extract type judgments from of judgments. 

\/L,M,A. ctxLD (LIhofMA) D {\^ type A) 

This is proved by induction on the of judgment and requires the following lemma which 
says that type judgments ignore typing contexts. 

VL,A. ctxLD {L\\-typeA) D (Ih type A) 

This is proved by induction on the type judgment. 

Now, the first real result we need is that one-step reduction preserves typing: 

\/L,M,M',A. ctxLD {LhofM A) D (IhstepM M') D [LhofW A). 

The proof is by induction on the step judgment. Note that we have to generalize the typing 
context since one-step reduction can take place underneath abstractions. Another useful 
lemma is the following. 

MM. sn {app M c) D sn M 
The proof is by induction on sn. 

7.5.2 The Logical Relation 

The difficulty with proving strong normalization directly is that it is not closed under 
application, i.e., sn M and sn N does not imply sn {app M N). Instead, we must strengthen 
the normalization property to one which includes a notion of closure under application. This 
strengthened condition is called reducibility and is originally due to Tait [Tai67] . We say 
that a term M reduces at type A if reduce M A holds where reduce is defined as follows: 

reduce M i = {\\- of M i) A sn M 
reduce M (arrow AB) = (IhofM {arrow A B)) A 

{MU. reduce U Ad reduce {app M U) B) 
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Note that reduce is defined with a negative use of itself and therefore does not satisfy the 
current stratification condition on definition. However, the second argument to reduce is 
smaller in the negative occurrence, and thus there are no logical loops introduced by this 
definition. Intuitively, we can think of (Ax. reduce x A) as defining a separate fixed-point 
for each type A, and that these fixed-points are constructed based on induction on A. 

An auxiliary notion used when discussing reducibility is called neutrality: a term is 
called neutral if it is not an abstraction. We can define this directly as follows. 

neutral M = VA, R. (M = abs A R) D ± 

Now Girard lays out three properties of reducibility which we can formalize as follows. 

(CR 1) VM, A. (Ih type A) D reduce M A D sn M 

(CR 2) VM, M', A. (Ih type A) D reduce MAD (Ih step M M') D reduce M' A 
(CR 3) VM, A. (Ih type A) D neutral M D (Ih of M A) D 

{MM'. (Ih step M M') D reduce M' A) D reduce M A 

Each of these follows by induction on the type judgment. The proof of (CR 2) is straight- 
forward, but the proofs (CR 1) and (CR 3) are more complicated. In particular, (CR 1) 
depends on (CR 3) at types structurally smaller than A while (CR 3) depends on (CR 1) 
at the same type A. As in the POPLmark application (Section 17. 2p we can handle this by 
stating a combined lemma and using ATZ* within the induction: 

V.4. (Ih type ^) D 

(VM. reduce M ^ D sn M) A 
(VM. neutral M D (Ih of M A) D 

(VM'. (Ih step M M') D reduce M' A) D reduce M A) 

The proof is by induction on the type judgment, and the (CR 1) portion of the proof is 
relatively straightforward. In the (CR 3) portion, when A is an arrow type, say arrow Ai A2, 
we need to show 

\fU. reduce U Ai D reduce (app M U) A2. 

From the (CR 1) inductive hypothesis on type Ai we can determine that sn Ai holds, and 
then proof is by an inner induction on sn Ai . 

The last reducibility lemma we need says that if for all reducible U of type A, M[U/x] 
is reducible, then so is Ax : A. M. For Xx : A. M to be reducible requires showing that 
for all reducible V that M y is reducible. Girard proves this by induction on the sum 
of the lengths of the longest reduction paths from M and V. We can state this unfolded 
reducibility lemma as follows. 

VF, M, A, B. (Ih of (abs A M) {arrow A B)) D 
snV D sn {M c) D reduce V Ad 
{yU. reduce U Ad reduce {M U) B) D 
reduce {app {abs A M) V) B 
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The proof of this formula is by induction on sn V with a nested induction on sn (M c). 

Clearly reduce is closed under application and by (CR 1) it implies strong normalization, 
thus we strengthen our desired normalization result to the following: 

VM, A. (Ih of M A) D reduce M A. 

In order to prove this formula we will have to induct on the height of the proof of the typing 
judgment. However, when we consider the case that M is an abstraction, we will not be 
able to use the inductive hypothesis since reduce is defined only on closed terms, i.e., those 
typeable in the empty context. The standard way to deal with this issue is to generalize 
the desired formula to say that if M, a possibly open term, has type A then each closed 
instantiation for all the free variables in M, say N, satisfies reduce N A. This requires a 
formal description of simultaneous substitutions that can "close" a term. 

7.5.3 Arbitrary Cascading Substitutions and Freshness Results 

Given {L Ih of M A), i.e., an open term and its typing context, we define a process of 
substituting each free variable in M with a value V which satisfies the logical relation for 
the appropriate type. We define this subst relation as follows: 

subst nil M M = T 
{Vx.subst {{ofx A) :: L) {R x) M) = 3U. reduce U A^ subst L{RU)M 

By employing nominal abstraction in the second clause, we are able to use the notion of 
substitution in the meta-logic to directly and succinctly encode substitution in the object 
language. Also note that we are, in fact, defining a process of cascading substitutions rather 
than simultaneous substitutions. Since the substitutions we define (using closed terms) do 
not affect each other, these two notions of substitution are equivalent. We will have to 
prove some part of this formally, of course, which in turn requires proving results about the 
(non) occurrences of nominal constants in our judgments. 

One consequence of defining cascading substitutions via the notion of substitution in 
the mcta-logic is that we do not get to specify where substitutions are applied in a term. 
In particular, given an abstraction abs A R we cannot preclude the possibility that a 
substitution for a nominal constant in this term will affect the type A. Instead, we must 
show that well-formed types cannot contain free variables which we formalize as 

yA.Vx. (Ihtype {A x)) D 3A'. {A = Xy.A'). 

This formula essentially states any dependencies a type has nominal constants must be 
vacuous. A related result is that in any provable judgment of the form (L Ih of M A), any 
nominal constant (denoting a free variable) in M must also occur in L, i.e.. 



yL,M,A.Vx. ctxLD (L Ih of (M x) (A x)) D 3M'. (M = Xy.M') 
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This is proved by induction on the of judgment. 

Given these results about the (non) occurrences of nominal constants in judgments, 
we can now prove fundamental properties of arbitrary cascading substitutions. The first 
property states that closed terms, those typeable in the empty context, are not affected by 
substitutions, i.e., 

yL,M,N,A. {W-ofM A) D subst L M N D {M = N). 

The proof here is by induction on subst which corresponds to induction on the length of 
the list L. The key step within the proof is using the lemma that any nominal constant 
in the judgment (Ih of M A) must also be contained in the context of that judgment. 
Since the context is empty in this case, there are no nominal constants in M and thus the 
substitutions from L do not affect it. 

We must show that our cascading substitutions act compositionally on terms in the 
simply-typed A-calculus. For the term c this is almost trivial, 

VL, M. subst L c M D {M = c). 

The proof is by induction on subst. For application we have the following. 

VL, M, N, U. ctx L D subst L (app M N) U D 

3Mu, Nu. {U = app Mu Nu) A subst L M Mu A subst L N Nu 

This is proved by induction on subst. Finally, for abstractions we prove the following, also 
by induction on subst: 

VL, A, R, U. ctx L D subst L (abs A R) U D (Ih type A) D 
3Ru. {U = abs A Ru) A 

(VF. reduce V AdVx. subst {{ofx A) :: L) {R x) {Ru V)) 

Here we have the additional hypothesis of (Ih type A) to ensure that the substitutions 
created from L do not affect A. At one point in this proof we have to show that the 
order in which cascading substitutions are applied is irrelevant. The key to showing this is 
realizing that all substitutions are for closed terms. Since closed terms cannot contain any 
nominal constants, substitutions do not affect each other. 

Finally, we must show that cascading substitutions preserve typing. Moreover, after 
applying a full cascading substitution for all the free variables in a term, that term should 
now be typeable in the empty context: 

VL,M,A^,^. ctxLD substL M N D {L\\-ofM A) D (Ih of A). 

This formula is proved by induction on subst. 



7.5. FORMALIZING TAIT-STYLE PROOFS FOR STRONG NORMALIZATION 100 



7.5.4 The Final Result 

Using cascading substitutions we can now formalize the generalization of strong normal- 
ization that we described earlier: given a (possibly open) well-typed term, every closed 
instantiation for it satisfies the logical relation reduce: 

VL, M, N, A. ctx L D (Llh ofM A) D subst LM N D reduce N A 

The proof of this formula is by induction on the typing judgment. The inductive cases 
are fairly straightforward using the compositional properties of cascading substitutions and 
various results about reducibility. In the base case, we must prove 

VL, M, TV, A. ctx L D member {of M A) L D subst L M N D reduce N A, 

which is done by induction on member. Strong normalization is now a simple corollary 
where we take L to be nil. Thus we have proved 



yM,A. {l^ofM A) DsnM. 



Chapter 8 



Related Work 

There are many frameworks which can be used to specify, to prototype, and to reason about 
computational systems. Some of these are designed specificaUy for this purpose while others 
have a different motivation, but can achieve a similar result. In this chapter we present a 
selection of these frameworks and contrast their capabilities with the framework put forth 
in this thesis. As the contributions of this thesis are primarily in the reasoning part of the 
framework, we shall give extra attention to this component in the comparisons. 

Our framework is based on a two-level logic approach to reasoning. We have found this 
to be very effective in practice, but one could use the logic ^ in a single-level logic fashion 
as well. The frameworks in this chapter come in both varieties: some use a two-level logic 
approach to which we can compare directly, while others use a single-level logic approach. 
In either case, the differences due to the reasoning approach used are often overshadowed 
by the differences in the treatment of binding. Thus we shall often say very little about the 
reasoning approach except when comparing against another two-level logic framework. 

We organize our comparison of frameworks around the techniques used to represent the 
binding structure of objects. This is by far the most salient characteristic of the frameworks, 
and has the largest effect on the succinctness and the quality of the corresponding reasoning. 
Thus we will focus on issues such as the representation of binding, determining equality 
modulo renaming of bound variables, capture-avoiding substitution, and representing judg- 
ments with side-conditions related to binding. We will use the example of the simply-typed 
A-calculus from Section [1.21 to illustrate these issues. We will order our comparisons based 
on the kind of support for binding provided by the framework. Specifically, we will look at 
frameworks based on first-order, nominal, and higher-order representations. 

8.1 First-order Representations 

First-order representations provide no special treatment for binders. As a result, variables 
must be encoded using strings or integers and binding aspects must be captured through 
constructors. Further, mechanisms for manipulating and reasoning about binders must be 
developed by interpreting the constructors representing them on a case-by-case basis by by 
users of the framework. On the other hand, the benefit of first-order representations is that 
many mature frameworks exist which support this type of representation. For example, 
languages like SML and Prolog can effectively prototype specifications written using a 
first-order representation, while in the reasoning phase, theorem provers like Coq |BC04] . 
ACL2 [KMMOO] . and HOL |Har96] can operate directly on first-order representations. Our 
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discussion in this section will focus not on any particular framework but rather on the 
benefits and costs of various first-order representations. In particular, we look at the three 
most common first-order representations: named, nameless, and locally nameless. 

8.1.1 Named Representation 

The most direct and naive approach to encoding binders is to assign each variable a fixed 
name. For instance, the term {\x:i. x) might be encoded as (abs "a;" i (var "x")). Here we 
have picked a particular name, x, to denote the otherwise arbitrary variable in the function. 
This representation is very natural, but it creates at least three major problems for users. 

First, equality modulo the renaming of bound variables is not reflected in the represen- 
tation. For example, the terms {\x:i. x) and {Xy.i. y) have two different representations, 
(abs "x" i (var "x")) and (abs "y" i (var "y")). Thus users of a named representation must 
explicitly define a notion of equivalence for each syntactic class with binding. This becomes 
particularly painful in reasoning where the user must establish many equivalence lemmas. 

Second, no support is provided for capture-avoiding substitution over binding, and in- 
stead users must define this substitution on their own. Naive capture-avoiding substitution 
is not structurally recursive, and thus one must resort to well-founded recursion or instead 
use simultaneous capture-avoiding substitution. Either choice results in additional over- 
head during reasoning when the user must prove various substitution lemmas. Moreover, 
substitution must be defined for each class of syntactic objects with binding, and the proofs 
of related lemmas must be repeated. 

Third, no logical support is provided for treating side-conditions related to variable 
binding structure. An example of such a side-condition is manifest in the following rule for 
typing abstractions in the A-calculus: 



With the named representation, users must devise their own mechanisms for treating such 
side-conditions. A naive approach in the case of the rule above is to select any fresh variable 
name, but this can lead to structural induction principles which are too weak to be usable 
in practice. Moreover, one must still prove that the choice for a variable name is truly 
arbitrary. 

Large-scale developments have been constructed using the named representation, and 
the result is often that the binding issues overwhelm the development. For instance, Vanln- 
wegen used a named representation to encode and reason about SML in the HOL theorem 
prover |Van96j . She noted: 

Proving theorems about substitutions (and related operations such as alpha- 
conversion) required far more time and HOL code than any other variety of 
theorems. 




T,x : a\- r : b 
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8.1.2 Nameless Representation 

A more sophisticated first-order representation encodes each variable occurrence with an 
integer denoting the location of its binder relative to the binding structure around it. Com- 
monly, one uses the distance from the variable occurrence to its binder, measured in terms 
of other binders above it in the abstract syntax tree. For example, the term (Ax : i. {Xy :i. x)) 
would be encoded as (abs i {abs i (var 2))). Here the 2 denotes that the binder for this 
variable occurrence is two binders away. This kind of representation originates from de 
Bruijn |dB72j and hence is often referred to as the de Bruijn representation. 

The benefit of a nameless representation over a named representation is that a-equivalent 
terms, i.e., those that differ only in the names of bound variables, are syntactically iden- 
tical. Thus in the reasoning phase the user does not need to prove additional properties 
about a-equi valence. 

The nameless representation shares many problems with the named representation and 
has some additional ones as well. The nameless representation still requires users to define 
capture-avoiding substitution themselves, and now this makes it necessary to reason about 
the correctness of the arithmetical operations that have to be carried out for maintaining the 
consistency of the representation when effecting substitutions. A new difficulty introduced 
by the nameless treatment of variables is that representations become hard for humans to 
read, since different occurrences of the same variable in them may be rendered into different 
integers depending on the contexts in which they appear. This also has an impact on the 
statements of lemmas and theorems that often need to explicitly talk about re-numberings 
and other arithmetical operations over terms, thereby diminishing clarity. 

The nameless representation has been used in large-scale developments. Hirschkoff, for 
instance, used it to formalize the 7r-calculus in the Coq theorem prover |Hir97j . He found 
that the nameless representation simplified much of the work with bound variables versus 
the named representation, but the treatment of binding within it still overwhelmed the 
development. He concluded: 

Technical work, however, still represents the biggest part of our implementation, 
mainly due to the managing of De Bruijn indexes [...] Of our 800 proved lemmas, 
about 600 are concerned with operators on free names. 



8.1.3 Locally Nameless Representation 

The most promising first-order representation is a hybrid approach which uses the nameless 
representation for bound variables and the named representation for free variables. This is 
called the locally nameless representation ACP"'"08l ICha09| . 

The locally nameless representation has advantages over both the named and name- 
less representations. First, a-equivalent terms are syntactically equal, as in the nameless 
representation. Second, the statement of lemmas and theorems rarely need to talk about 
arithmetical operations over terms. Third, since free and bound variables are syntacti- 
cally distinguished, capture-avoiding substitution can be defined in a straightforward and 
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structurally recursive way. 

Like other first-order approaches, the locally nameless representation still requires users 
to define capture-avoiding substitution and prove various lemmas about it. A drawback 
specific to this representation is that users must provide functions which bind and unbind 
variables {i.e., implementing the interface between the named and nameless representa- 
tions). Constructing or deconstructing a term with binding requires going through these 
functions in order to ensure that certain invariants regarding free and bound variables are 
maintained. Finally, users must show that these binding and unbinding functions interact 
with substitution in appropriate ways. Recent progress has been made in automatically 
generating this type of infrastructure |AW09] . 

The locally nameless representation has some analogs to our own representation in 
the following sense: we represent bound variables using A-terms and free variables using 
nominal constants. However, we provide capture-avoiding substitution for free to the user. 
Unbinding and binding of terms {e.g., switching between A-binders and nominal constants) 
is handled using application and nominal abstraction, respectively. In the locally nameless 
approach one occasionally needs to prove that free variables can be renamed while preserving 
provability, while that is an innate property of our framework due to our treatment of 
nominal constants. The fundamental contrast is that the locally nameless representation 
allows one to use an existing theorem prover, but requires significant binding infrastructure 
to be constructed, while our representation requires a new theorem prover, but incorporates 
binding infrastructure into the theory underlying the prover. 

8.2 Nominal Representations 

The nominal representation of binding is a mild extension of first-order abstract syntax with 
support for a-equivalence classes. The basis of the nominal representation is an infinite 
collection of names called atoms together with a freshness predicate — denoted by the infix 
operator # — between atoms and other objects and a swapping operation involving a pair 
of atoms and a term. Binding is represented by means of a term constructor (•)• which 
takes an atom and a term. The nominal representation then assumes certain properties of 
swapping and freshness with respect to this constructor so that a-equivalence classes are 
respected. This representation is also referred to as nominal abstract syntax. 

Nominal representations were first introduce through the nominal logic of Pitts |Pit03] , 
which is an extension of first-order logic. When working with nominal abstract syntax in 
a logical setting it is often desirable to quantify over fresh atoms. In this regard, a useful 
consequence of the properties assumed for freshness and swapping is that the following 
equivalence holds for any formula (p whose free variables where a is of atom 

type: 

3a.{a#xi A ... A a#Xn Ac/)) = Va.(a#xi A ... A a#Xn D 0) 

Nominal logic introduces the l/l-quantifier by defining ]Aa.(p as one of the above formulas. 
This is very reminiscent of the properties shown for the V-quantifier in Section 13.5.11 and 
in general, the V-quantifier and the l/l-quantifier behave very similarly. 
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The most prominent specification and prototyping language based on nominal repre- 
sentations is aProlog, an extension of Prolog that accords a proof search interpretation of 
a version of Horn clauses in nominal logic |CU03j . In particular, aProlog allows the 1/1- 
quantifier to appear in the heads of clauses. This allows aProlog to describe specifications 
which involve a finer treatment of names than what is possible in our specification logic of 
hH^. However, it seems that aProlog clauses bear a close resemblance to the patterned 
form of definitions in G which allow the V-quantifier in the head (see Section 13. 4p . While 
a formal encoding of aProlog clauses as definitions in Q is left to future work, we note that 
such definitions can be animated using a system similar to Bedwyr [BGM^dT] . a specifica- 
tion tool based on a simple proof search procedure for the Line logic (one of the precursors 

to g). 

Nominal logic does not have a parallel to the fixed-point interpretation of definitions in 
Q, and thus nominal logic cannot be used directly to reason about specifications written 
within it. Instead, such reasoning must be carried out indirectly by first formalizing the 
relevant nominal logic specification in a richer logic such as that underlying a system like 
Coq or Isabelle/HOL and then using the capabilities of that logic |ABW061 IUT05j . The 
most prominent development in this area is the Nominal package for Isabelle/HOL. This 
package allows for an easy definition of syntactic objects with a-equivalence classes. This 
construction is conducted completely within the HOL logic and can thus be trusted. More- 
over, the construction of these a-equivalence classes and some boilerplate results about 
them are provided automatically via the macro-like features of Isabelle. This includes a 
strong induction principle which matches the one used in typical "pencil and paper" proofs, 
and it includes a recursion combinator which allows capture-avoiding substitution to be 
defined structurally. 

The nominal approach has a number of drawbacks. First, binding is only simulated by 
means of a distinguished constructor and thus substitution is not automatically provided. 
Instead, users must define it on their own for both specification and reasoning, and conse- 
quently, must prove substitution lemmas relative to their definition of substitution. Second, 
in order to use functions and predicates in the reasoning phase, one must prove properties 
which state that name swapping does not change the results of a function or the provability 
of a predicate — a property which is enforceable statically for definitions of predicates in 
Q. Third, to effectively use the nominal representation in reasoning, one really needs an 
existing package which automates the construction of a-equivalence classes and proves the 
related lemmas. Although such a mature package exists for Isabelle/HOL, other theorem 
provers may not have the automation capabilities necessary to effectively construct such a 
package. Finally, an often trumpeted benefit of nominal representations is that they allow 
a first-class treatment of names, but the analyses enabled by that treatment seem no more 
powerful than what is now provided by nominal abstraction. A formal validation of this 
observation is left to future work. 
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8.3 Higher-order Representations 

Higher-order representations use the meta-level function space to encode binding in object 
languages, e.g., by using data constructors such as abs : {tm — > tm) —>■ tm. This allows 
the object representation to inherit all the properties of binding from the meta-level. How- 
ever, traditional tools often have a very strong notion of equality {e.g., incorporating case 
analysis or fixed-point combinators) which makes them ill-suited to encoding higher-order 
representations. For this reason, we choose to focus here on frameworks based on the A- 
tree syntax representation of binding which assumes only a/3ry-conversion in determining 
equality |MilOO] . This allows an adequate representation of object languages with binding, 
and provides free a-conversion and capture- avoiding substitution for those languages. The 
cost is that usually new frameworks must be developed which support the A-tree syntax 
representation. In this section we discuss such frameworks which have been implemented. 

8.3.1 Hybrid 

Hybrid is a system which aims to support reasoning over higher-order abstract syntax 
specifications using traditional theorem provers such as Coq and Isabelle/HOL [FM09aj . 
The basic idea of the system is translate higher-order abstract syntax descriptions into 
an underlying de Bruijn representation. The logic of the theorem prover then serves as 
the meta-logic in which reasoning is conducted. This approach necessarily produces more 
overhead during reasoning due to the need occasionally to reason about the effects of the 
translation. However, there is good reason to believe that most of this can be automated 
in the future. Also, Hybrid is often used in a two-level logic approach using a specification 
logic which is essentially identical to our own hH^ specification language. 

The Hybrid system, by design, lacks a meta-logic with the tools to elegantly reason over 
higher-order abstract syntax descriptions. Most notably, the meta-logics used by Hybrid 
lack a device like the V-quantifier for reasoning about open terms and generic judgments. 
Recent work has suggested that such a device is not necessary for simple reasoning tasks 
such as type uniqueness arguments |FM09b] . Yet, it is unclear how the naive approach used 
in this work will scale to problems such as those proposed by the POPLmark Challenge 
ABF^OS]. In such problems one needs to recognize as equivalent those judgments which 
differ only in the renaming of free variables. Such a property is built into our meta-logic 
by representing such free variables by nominal constants, while in Hybrid one will have to 
manually develop and prove properties about notions of variable permutations. 

8.3.2 Twelf 

Twelf [PS99] is a system for specifying and reasoning with A-tree syntax using LF, a depen- 
dently typed lambda calculus [HHP93| . In the LF methodology, object language judgments 
are encoded as LF types, and rules for making judgments are encoded as LF constructors 
for the corresponding types. The LF terms inhabiting these types are then derivations of 
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judgments. Thus LF constitutes a specification language. Twelf implements an operational 
semantics for constructing LF terms which provides a means of animating LF specifications. 

Since dependent types can be exploited in LF specifications, these can often be more 
elegant than those described in our simply-typed setting. For example, one can provide a 
definition of simply-typed A-terms where the type of a A-term is reflected in the type of 
its LF representation. When it is done in this way, one does not need to talk about pre- 
terms and provide a separate typing judgment for selecting well-typed terms. Moreover, 
this allows some properties to be obtained for free. For example, we can define evaluation 
over this representation of simply-typed A-calculus so that type preservation is a direct 
consequence of the type of the evaluation judgment (i.e., evaluation is defined to take a 
A-term with a particular type and return another A-term with the same type). However, in 
terms of expressive power, the simply-typed and dependently- typed specification languages 
are equivalent |Fel91j . Thus when referring to the example of the simply- typed A-calculus 
we will assume that it is encoded in LF in the same style as in our framework. 

Since derivations of judgments are LF terms, we can think of defining further judgments 
over such terms. For example, suppose that we encode the simply-typed A-calculus in 
LF including the type constructors of and evai corresponding to typing and evaluation 
judgments and the corresponding term constructors for forming those judgments. Then we 
could define a judgment named preserve which holds of a derivation of {oft a), a derivation 
of (evai t v), and a derivation of (of v a). Viewing this judgment as one which takes the 
first two arguments and produces the third, we could provide term constructors for preserve 
which describe how derivations of (of t a) and (evai t v) are used to reconstruct a derivation 
of (of V a). Twelf can then check that this judgment is total in its first two arguments, i.e., 
it is defined and terminates for all inputs. If so, we can think of preserve as a proof of the 
meta-property that evaluation preserves typing in the simply-typed A-calculus. This style 
of encoding is known as a Twelf meta-theorem. 

The Twelf approach of encoding meta-theorems as LF judgments has some serious 
limitations. For example, consider the following statement of the type preservation theorem: 
"/ora// derivations of (of t a) and forall derivations of (evai t v) there exists a derivation of 
(of V a)." This theorem was encoded in an LF judgment which took the first two derivations 
as input and produced the last one as output. In general, a judgment representing a Twelf 
meta-theorem has inputs corresponding to V quantifiers and outputs corresponding to 3 
quantifiers. Therefore, meta-theorems are restricted to a V3 quantification structure. 

A related issue with the Twelf approach is that Twelf does not have a definition mecha- 
nism. Instead one has to use LF judgments to describe the properties of a specification. This 
is severely limiting since LF judgments can only describe behaviors that may happen and 
cannot describe those which must happen. For example, to state the strong normalization 
property for the simply-typed A-calculus in Section 17.51 we used the following definition: 

snM = VM'. (I h step M M') D sn M' 

This says that in order for sn M to hold, every term to which M can convert must also 
satisfy sn. Such a definition is not possible with Twelf. A similar issue arises if one tries to 
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encode the path equivalence property for A-terms from Section 17.31 The hypothesis in this 
case is that every path in one A-term must occur in the other A-term. 

There is also a practical issue of relying on Twelf 's totality checks in order to ensure that 
a meta-theorem is correct. It is possible, for example, for one to fill out the details of a meta- 
theorem so that totality holds, but for Twelf's checker to be unable to determine totality. 
In such a case, one must confront various options: 1) try to rewrite the meta-theorem so 
that totality is more evident, 2) wait for a new version of Twelf's totality checker that may 
be more powerful, or 3) do a careful hand proof of totality. The first option is not always 
possible, and the latter two are fairly undesirable. 

An interesting comparison between the Twelf approach and our own is in the treatment 
of judgment contexts. In our approach, the definition of seq includes a list argument which 
keeps track of the context of a judgment and makes it explicit during reasoning. We then 
define a predicate like ctx which will recognize the structure of such a context, and we 
prove various inversion lemmas about membership in that context. In Twelf, such contexts 
are called regular worlds, and although they are declared explicitly, they are kept implicit 
during reasoning. The Twelf machinery automatically provides the associated inversion 
properties of regular worlds. Like most automation, this is very useful when it works 
and rather bothersome when it does not. For instance, in the conversion between higher- 
order abstract syntax and de Bruijn representations from Section 17.41 we work with a 
context which has an arithmetical property which depends on the judgment being made. 
Specifically, the context must not contain de Bruijn indices which are greater than the depth 
at which the conversion judgment is being made. This is needed to ensure uniqueness of de 
Bruijn indices when descending underneath abstractions. The regular worlds mechanism 
of Twelf does not allow the description of a context to the depend on the arguments of 
the judgments made in that context. Thus one cannot express this property directly and 
must instead find a way to work around this limitation, e.g., by making the context explicit 

[CrioH]. 

8.3.3 Delphin 

Delphin is a higher-order functional programming language which operates over LF terms 
and can serve as a meta-logic for LF specifications |Pos08] . Delphin makes a distinction 
between LF functions which are purely representational (i.e., that must be parametric in 
their argument) and Delphin functions which are computational (i.e., that may perform 
case analysis on their argument). A Delphin meta-theorem is a Delphin function which is 
total. For example, the property of type preservation for the simply-typed A-calculus is 
encoded as a function which takes LF terms denoting derivations of (of t a) and (eval t v) 
and returns an LF term denoting a derivation of (of v a). Like Twelf, it is possible for 
Delphin not to be able to automatically determine totality of a meta-theorem, and then 
one must either rewrite the meta-theorem, wait for a stronger totality checker, or perform 
the totality check by hand. 

The central way in which Delphin improves on Twelf is that it treats Delphin functions 
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as first-class, and thus more sophisticated properties can be encoded during reasoning. For 
example, the path equivalence of A-terms from Section 17.31 can be encoded fairly directly 
in Delphin. The property that all the paths in the A-term s must also exist in the A-term 
t can be represented in Delphin by a function which takes a judgment like {path s p) and 
returns a judgment like {path t p), and such a function can be an input (i.e., hypothesis) 
to a Delphin meta-theorem stating the path equivalence property. 

Delphin also uses first-class functions to treat the contexts of specification judgments. 
When a Delphin meta-theorem is written, it may make a recursive call to itself underneath 
some additional abstractions. These abstractions create new variables for which the Delphin 
meta-theorem must be defined. To achieve this, the Delphin meta-theorem carries around 
an argument which is a function mapping such variables to an appropriate invariant. This 
approach to representing contexts is more flexible than the regular worlds approach of 
Twelf. Specifically, in the example of conversion between higher-order abstract syntax and 
de Bruijn representations from Section [7.41 the dependency between the judgment and the 
context in the judgment can be made explicit in Delphin. Thus one can prove that the 
conversion is deterministic in a fairly straightforward way in Delphin. 

Despite the additional flexibility that Delphin provides in working with the contexts of 
judgments, it still does not make those contexts explicit as in our approach. Thus, some 
operations over contexts which we can perform easily in our framework are difficult or 
impossible in the Delphin approach. For example, in our formalization of Girard's proof of 
strong normalization for the simply-typed A-calculus in Section [7.51 we defined a process of 
closing a term by instantiating all free variables with closed terms of the appropriate types. 
This definition was based on walking over the context of the typing judgment of such a 
term, something that is not possible to do in Delphin. 

8.3.4 Tac 

Tac is a general framework for implementing logics. For the purposes of our present discus- 
sion, we will focus on the particular logic //LJ which is the most popular logic implemented 
in Tac |BMSV09bl IBaeOSa] . The logic //LJ comes from the same line of logics as Q and 
differs primarily in the semantics attributed to the V-quantifier. We recall that the in- 
terpretation of V in ^ is derived from adding to FOX^^ the exchange and strengthening 
properties related to this quantifier that are embodied in the following equivalences: 

Vx.Vy.F = Vy.Vx.F Vx.F = F, x does not occur in F 

The fjJjJ logic eschews these additions, strengthening the interpretation of the V-quantifier 
instead through a capability to lift its predicative effect over types. At a practical, proof 
construction level, whereas the V-quantifier can be treated in Q using nominal constants, in 
;uLJ it must be treated by using explicit local contexts for each formula in a sequent. The 
size and ordering of the local context is always respected and instantiations for existentially 
or universally quantified variables may only use those generic variables which appear in the 
local context. 
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The ^LJ logic does not have an operation hke nominal abstraction and instead treats 
only equality. The issue with extending /^LJ to treat nominal abstraction is that the pro- 
cess of nominal capture-avoiding substitution (through which the nominal abstraction rules 
are defined) is based on carrying substitution information from one formula into all other 
formulas in a sequent. In the minimal setting, however, such information may be invalid 
in other formulas because the local signatures do not match. For example, a substitution 
which replaces M by a variable x from the local context does not make any sense in a 
formula which contains M but has an empty local context. As a result of this lack of nomi- 
nal abstraction, the descriptions of properties such as the binding structure of specification 
judgment contexts in iihJ is less direct and thus harder to work with (see Figure 17.11 for 
an example). Furthermore, without nominal abstraction, one cannot directly formulate the 
invariants necessary to perform induction underneath V (see Section 15.3. ip . An ability of 
equivalent power is obtained in //LJ instead through the lifting capability mentioned earlier 
|Bae08bj . From a practical perspective, however, we find that reasoning based on lifting is 
often much more complicated than reasoning based on traditional induction combined with 
nominal abstraction. 

The benefit of minimal treatment of the V-quantifier is that the local context of a 
formula can be used to provide an adequate encoding for certain types of similar contexts 
in an encoding. This allows certain encodings to be shallower or to have fewer adequacy 
side-conditions than their counterparts in our setting. For example, in the statement of 
adequacy for our encoding of the specification logic into the predicate seq in Section 16.5.11 
we have the requirement that V-quantification is allowed only at inhabited types. This is 
necessary since if r were an un-inhabited type then B-j-x.T should not be provable in the 
specification logic, and yet its encoding as a seq judgment is provable if V-quantification is 
allowed at type r. The issue is that the specification logic existential quantifier is mapped 
to the meta-logic existential quantifier and the latter allows instantiations containing any 
nominal constants even if there are no other inhabitants at that type. If we take the 
definition of seq as being in /iLJ then it should be an adequate encoding of the specification 
logic without any conditions. Thus the local context in the minimal approach provides an 
adequate representation of the variable signature of an hH^ sequent. To achieve the same 
condition-less adequacy for Q would require explicitly carrying around a representation of 
the specification logic signature and using this to restrict the type of instantiations for meta- 
logic universal and existential quantifiers. This approach would require more work due to 
the need to establish properties about the signature, but this is the same work which is 
already required in the minimal approach. Moreover, this explicit encoding of the signature 
would allow one to directly analyze and interact with the signature {e.g., quantifying over 
all signatures of a certain type) which is not possible in the minimal approach. 



Chapter 9 



Conclusion and Future Work 

This thesis has concerned the development of a framework for specifying, prototyping, and 
reasoning about formal systems. The specific framework that has been of interest has two 
defining characteristics. First, it has been based on an intertwining of two distinct logics for 
specification and for reasoning about specifications. The specification logic has the prop- 
erty of also being executable, thereby rendering descriptions written in it transparently into 
prototypes of the formal systems that are encoded. The reasoning logic has the capability 
of directly embedding the specification logic; specifications themselves are represented in- 
directly through this medium. This is, in fact, the style of encoding that is developed here. 
The benefits of this approach are that the same specifications can be used for prototyp- 
ing and reasoning and generic properties of the specification logic can be proved and used 
to advantage in reasoning. The second important characteristic of our framework is that 
uses a higher-order treatment of binding constructs, supporting this approach in both the 
specification and the reasoning levels through targeted logical devices. 

The focus in this thesis has been on the reasoning component of the above framework. 
In this context, we have developed the logic Q that provides the mechanism of fixed-point 
definitions that can also be interpreted inductively or co-inductively and that has sophis- 
ticated devices for dealing with higher-order representations of syntactic constructs. An 
important component of this logic is the notion of nominal abstraction that allows for the 
reflection into definitions of properties of objects introduced into proofs in the course of 
treating binding constructs. We have used Q as the basis of an interactive theorem prover 
called Abella and have explored a two-level logic approach to reasoning about formal sys- 
tems in its context. This system has been applied to several interesting reasoning examples 
and has yielded appealing solutions in most of these situations. 

While several promising results have been obtained in this thesis, there remain many 
more interesting things still to be done. We sketch below some possible ways in which 
the framework for specification, prototyping, and reasoning that has been considered can 
be further enriched. The kind of work involved in realizing these possibilities ranges from 
foundational considerations for increasing the expressive power of the meta-logic to more 
implementation oriented efforts to better facilitate the reasoning process. 

9.1 More Permissive Stratification Conditions for Definitions 

The stratification condition for definitions in Q is fairly simplistic, and it rules out seemingly 
well-behaved definitions such as the reducibility relation used in logical relations arguments 
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(Vx.typeof {L x) x A) = Vx. member {assm x A) [L x) 
typeofL {app M N) B = 3A. typeofL M (arr A B) A typeof L N A 
typeof L (abs A R) {arr A B) = Vx. typeof {{assm x A) :: L) {R x) B 

Figure 9.1: Typing judgment directly within Q 

(see Section 17. Sp . One could imagine a more sophisticated condition which would allow 
definitions to be stratified based on an ordering relation over the arguments of the predicate 
being defined. The proof theoretic arguments needed to prove cut-elimination for a logic 
with such definitions seem rather delicate, particularly since we allow substitutions which 
may interfere with any ordering based on term structure. Prom the perspective of developing 
the theory for such an extension, a first step might be to realize the addition to the Line" 
logic [TM09] . Given the way the cut-elimination proof for Q has been obtained from cut- 
elimination for Line", if we can successfully carry out such an extension to Line", the 
desired result relative to Q might then follow easily. 

There is also an interaction of this line of research with the development of induction 
and co-induction. The strict notion of stratification that Q uses ensures that each definition 
describes a single fixed-point and the induction and co-induction rules operate on this 
structure. However, if we weaken the stratification condition, then each definition can be 
viewed as a possibly infinite collection of fixed-points. The rules for induction and co- 
induction must be carefully adapted in light of this fact. 

9.2 Context Inversion Properties 

When reasoning about specification judgments we often need to describe and utilize prop- 
erties of the contexts in which those judgments are formed. This takes the form of stating 
a definition describing those contexts, proving various inversion lemmas about membership 
in those contexts, and then applying these lemmas at the appropriate times. Manually 
stating, proving, and using these lemmas introduces a fair amount of overhead which seems 
mundane enough that we might want to avoid it. 

One option is to attack this problem with automation. One could imagine automati- 
cally generating and proving inversion properties for those definitions which can be seen 
as describing contexts. The inversion properties follow directly from the definitions, and 
the proofs are by simple inductive arguments. These lemmas could then be automatically 
applied anytime we have a member of such a context. However, it is unlikely that such 
automation of these properties would be able to cope with more complicated properties of 
contexts such as those used in the conversion between higher-order abstract syntax and the 
de Bruijn representation (see Section [7^ . 

Another option would be to devise an alternate version of the specification logic or of 
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its encoding in the meta-logic so that such context inversion properties are not needed as 
often. It is unclear how such alternatives would be developed, but as an analogy, consider 
the following. Typing for the simply-typed A-calculus can be defined directly within G via 
a definition of {typeof L M A) which holds when M has type A in the typing context L. 
The clauses for this definition are presented in Figure [9Tl Using nominal abstraction, this 
definition of typing directly precludes the possibility of looking anything up in the context 
which is not of the form [assm x A) for some nominal constant x. Thus one does not 
need to deal with superfiuous cases when performing case analysis on a typing judgment. 
Note, however, that uniqueness properties regarding the typing context would still need to 
handled manually. 

9.3 Types and Explicit Typing 

The types in G play no role in reasoning except to restrict the valid instantiations of quan- 
tifiers. Thus, for example, one cannot directly perform induction or case analysis on a term 
based on its type. Instead, one must create a definition which recognizes terms of that type, 
and then use induction or case analysis on that definition. This requires that one knows 
that the definition holds on the term, which in turn may require carrying around more 
explicit typing information in the specification or reasoning. All of this creates overhead 
just to work effectively with types. For example, in formalizing Girard's proof of strong 
normalization for the simply-typed A-calculus (Section 17. Sp we had to create a specification 
logic judgment which recognized well-formed types. This judgment was then carried around 
during reasoning, and it even had to be put into the specification of the object language 
typing judgment. We then had to prove a lemma which said that an object language type 
could not contain any nominal constants. 

One possible solution is to attach explicit typing information to every variable in the 
specification and in reasoning. Ideally this should be done in such a way that the end user 
would not need to deal with explicit typing information, but would be able to perform 
operations like induction and case analysis based on the type of a term. A major difficulty 
in such automation would be dealing with the contexts needed to recognize terms which 
use higher-order abstract syntax. Multiple terms may have different contexts which have 
a particular relationship to each other which needs to be maintained. It is not clear how 
such information could be succinctly expressed. 

9.4 Alternate Specification Logics 

One motivation for the two-level logic approach to reasoning is that it lets us use general 
properties of a specification logic in reasoning about particular specifications. This approach 
has been successful relative to the second-order hereditary Harrop formula logic. However, 
different problem domains might require different specification logics. For example, a linear 
specification logic that allows for transient judgments has been found useful in characterizing 
properties of hardware |Chi95j and programming languages with references [MM02j . One 
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can imagine an extension of the Abella system which allows different specification logics to 
be plugged in and used as particular reasoning tasks demand. Given the way our framework 
is designed, judgments from these different specification languages would be able to co-exist 
during reasoning. 

9.5 Focusing and Proof Search 

Recent research has been looking at techniques for guiding proof search in C/-like logics 
based on the notion of focusing [B M.07\ IBMSVOQa] . These techniques allow the automation 
of a significant portion of the reasoning process by pruning redundant choices. For example, 
it was proven that if an atomic judgment is to be inducted on during a proof, then this 
induction can be done immediately. These techniques have been effectively realized in the 
Tac theorem prover [BMSV09b| . The Abella system could also be extended to support this 
type of automation. Moreover, one should investigate how this automation interacts with 
the two-level logic approach to reasoning. 

9.6 An Integrated Framework 

The Teyjus system allows for animating descriptions in our specification logic and the Abella 
system allows for reasoning about such descriptions. It would be worthwhile to combine 
these systems into an integrated framework which enables a more fluid relationship between 
the processes of specification and reasoning. In its simplest form, such an integration would 
allow the different aspects of prototyping and reasoning to be invoked seamlessly from a 
common description of a formal system. As an example of a deeper kind of integration 
looked at from the perspective of the reasoning component, uses of the defJZ and defC rules 
relative to the encodings of specifications within Q can draw benefit from computations 
within the specification logic. An important issue to be tackled in implementing such 
relationships would be that of designing an interface that allows a smooth transition between 
the different functionalities that Teyjus and Abella, the two currently separate components 
of our framework, provide. 
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